Arbitrary file deletion in administrative interface Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-26-094 Final 1 1 2026-03-10T00:00:00 Current version 2026-03-10T00:00:00 2026-03-10T00:00:00 An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability [CWE-88] in FortiDeceptor WEBUI may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests. None Execute unauthorized code or commands None Internally discovered and reported by Adham El karn of Fortinet Product Security team. FortiDeceptor 6.2.0 FortiDeceptor 6.0.3 FortiDeceptor 6.0.2 FortiDeceptor 6.0.1 FortiDeceptor 6.0.0 FortiDeceptor 5.3.4 FortiDeceptor 5.3.3 FortiDeceptor 5.3.2 FortiDeceptor 5.3.1 FortiDeceptor 5.3.0 FortiDeceptor 5.2.2 FortiDeceptor 5.2.1 FortiDeceptor 5.2.0 FortiDeceptor 5.1.0 FortiDeceptor 5.0.0 FortiDeceptor 4.3.0 FortiDeceptor 4.2.0 FortiDeceptor 4.1.1 FortiDeceptor 4.1.0 FortiDeceptor 4.0.2 FortiDeceptor 4.0.1 FortiDeceptor 4.0.0 CVE-2026-25689 FortiDeceptor-6.2.0 FortiDeceptor-6.0.3 FortiDeceptor-6.0.2 FortiDeceptor-6.0.1 FortiDeceptor-6.0.0 FortiDeceptor-5.3.4 FortiDeceptor-5.3.3 FortiDeceptor-5.3.2 FortiDeceptor-5.3.1 FortiDeceptor-5.3.0 FortiDeceptor-5.2.2 FortiDeceptor-5.2.1 FortiDeceptor-5.2.0 FortiDeceptor-5.1.0 FortiDeceptor-5.0.0 FortiDeceptor-4.3.0 FortiDeceptor-4.2.0 FortiDeceptor-4.1.1 FortiDeceptor-4.1.0 FortiDeceptor-4.0.2 FortiDeceptor-4.0.1 FortiDeceptor-4.0.0 6.0 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:F/RL:O/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-26-094 Arbitrary file deletion in administrative interface Reference>