Microsoft Exchange Server Cross-Site Scripting Vulnerability
Release Date: 15th May 2026
Impact : HIGH / CRITICAL
TLP Rating: Clear 
The Department of Communication and Digital Transformation (DCDT) through CERT Vanuatu (CERTVU), provides the following advisory.
This alert is relevant to Organizations and System/Network administrators that utilize the above products. This alert is intended to be understood by technical users and systems administrators.
What is it?
CVE-2026-44277 is a critical vulnerability (CVSS 9.8) affecting Fortinet FortiAuthenticator. The flaw is classified as an improper access control vulnerability (CWE-284).
What are the systems affected?
The following versions of Fortinet FortiAuthenticator are affected:
- FortiAuthenticator 8.0.0 and 8.0.2
- FortiAuthenticator 6.6.0 through 6.6.8
- FortiAuthenticator 6.5.0 through 6.5.6
- FortiAuthenticator 6.4.0 through 6.4.10
What does this mean?
The vulnerability is network exploitable and may be exploited without authentication.
Typical exploitation flow:
Target discovery
o Attackers identify internet-facing FortiAuthenticator appliances.
Crafted request delivery
o Malicious HTTP/HTTPS requests are sent to vulnerable services or management interfaces.
Access control bypass
o The appliance improperly validates access permissions.
Unauthorized command or code execution
o The attacker executes commands or interacts with privileged functionality.
Post-compromise activity
o Attackers may:
§ Steal authentication data
§ Manipulate MFA workflows
§ Create unauthorized accounts
§ Pivot into internal enterprise systems
Mitigation process
CERTVU recommends the following;
- 6.5.7 or later
- 6.6.9 or later
- 8.0.3 or later
References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://nvd.nist.gov/vuln/detail/CVE-2026-44277
- https://fortiguard.fortinet.com/psirt/FG-IR-26-128
- Download advisory (English): Microsoft Exchange Server Cross-Site Scripting Vulnerability