Pre-Authentication SQL Injection in FortiClient EMS 7.4.4 - CVE-2026-21643
TL;DR: Bishop Fox researchers expanded on Fortinet’s disclosure of CVE-2026-21643 by identifying practical exploitation paths. Our analysis shows attackers can abuse the publicly accessible /api/v1/init_consts
endpoint to trigger the SQL injection before authentication. Because this endpoint returns database error messages ...
