XSS in default error page Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-25-736 Final 1 1 2025-11-18T00:00:00 Current version 2025-11-18T00:00:00 2025-11-18T00:00:00 An Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability [CWE-80] in FortiADC virtual server's default error page may allow an unauthenticated attacker to execute malicious code via crafted URL. None Execute unauthorized code or commands None https://fortiguard.fortinet.com/psirt/FG-IR-25-736 XSS in default error page https://docs.fortinet.com/document/fortiadc/7.4.8/handbook/496707/configuring-error-pages https://docs.fortinet.com/document/fortiadc/7.4.8/handbook/496707/configuring-error-pages Fortinet is pleased to thank ShenkerGroup and Italian ACN (National Authority Cybersecurity) for reporting this vulnerability under responsible disclosure. FortiADC 8.0.0 FortiADC 7.6.3 FortiADC 7.6.2 FortiADC 7.6.1 FortiADC 7.6.0 FortiADC 7.4.10 FortiADC 7.4.9 FortiADC 7.4.8 FortiADC 7.4.7 FortiADC 7.4.6 FortiADC 7.4.5 FortiADC 7.4.4 FortiADC 7.4.3 FortiADC 7.4.2 FortiADC 7.4.1 FortiADC 7.4.0 FortiADC 7.2.8 FortiADC 7.2.7 FortiADC 7.2.6 FortiADC 7.2.5 FortiADC 7.2.4 FortiADC 7.2.3 FortiADC 7.2.2 FortiADC 7.2.1 FortiADC 7.2.0 CVE-2025-58412 FortiADC-8.0.0 FortiADC-7.6.3 FortiADC-7.6.2 FortiADC-7.6.1 FortiADC-7.6.0 FortiADC-7.4.10 FortiADC-7.4.9 FortiADC-7.4.8 FortiADC-7.4.7 FortiADC-7.4.6 FortiADC-7.4.5 FortiADC-7.4.4 FortiADC-7.4.3 FortiADC-7.4.2 FortiADC-7.4.1 FortiADC-7.4.0 FortiADC-7.2.8 FortiADC-7.2.7 FortiADC-7.2.6 FortiADC-7.2.5 FortiADC-7.2.4 FortiADC-7.2.3 FortiADC-7.2.2 FortiADC-7.2.1 FortiADC-7.2.0 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-25-736 XSS in default error page Reference> https://docs.fortinet.com/document/fortiadc/7.4.8/handbook/496707/configuring-error-pages https://docs.fortinet.com/document/fortiadc/7.4.8/handbook/496707/configuring-error-pages