PSIRT SQL Injection via JSON RPC API Summary An improper neutralization of special elements used in an SQL command ('SQL injection') [CWE-89] in FortiAnalyzer, FortiAnalyzer Cloud, FortiManager and FortiManager Cloud may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted requests. Version Affected Solution FortiAnalyzer 7.6 7.6.0 through 7.6.4 Upgrade to 7.6.5 or above FortiAnalyzer 7.4 7.4.0 through 7.4.8 Upgrade to 7.4.9 or above FortiAnalyzer 7.2 7.2 all versions Migrate to a fixed release FortiAnalyzer 7.0 7.0 all versions Migrate to a fixed release FortiAnalyzer 6.4 Not affected Not Applicable FortiAnalyzer Cloud 7.6 7.6.0 through 7.6.4 Upgrade to 7.6.5 or above FortiAnalyzer Cloud 7.4 7.4.0 through 7.4.8 Upgrade to 7.4.9 or above FortiAnalyzer Cloud 7.2 7.2 all versions Migrate to a fixed release FortiAnalyzer Cloud 7.0 7.0 all versions Migrate to a fixed release FortiAnalyzer Cloud 6.4 Not affected Not Applicable FortiManager 7.6 7.6.0 through 7.6.4 Upgrade to 7.6.5 or above FortiManager 7.4 7.4.0 through 7.4.8 Upgrade to 7.4.9 or above FortiManager 7.2 7.2 all versions Migrate to a fixed release FortiManager 7.0 7.0 all versions Migrate to a fixed release FortiManager 6.4 Not affected Not Applicable FortiManager Cloud 7.6 7.6.0 through 7.6.4 Upgrade to 7.6.5 or above FortiManager Cloud 7.4 7.4.0 through 7.4.8 Upgrade to 7.4.9 or above FortiManager Cloud 7.2 7.2 all versions Migrate to a fixed release FortiManager Cloud 7.0 7.0 all versions Migrate to a fixed release FortiManager Cloud 6.4 Not affected Not Applicable Acknowledgement Internally discovered and reported by David Maciejak of Fortinet Product Security team. Timeline 2026-04-14: Initial publication IR Number FG-IR-26-111 Published Date Apr 14, 2026 Component API Severity Medium Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 6.8 Impact Execute unauthorized code or commands CVE ID CVE-2025-61848 Download CVRF CSAF