HTTP response splitting in FortiProxy and FortiOS - CVE-2025-62826
Published: July 14, 2026
FortiProxy
FortiOS
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper neutralization of crlf sequences in http headers ('http response splitting') in captive portal authentication form. An attacker able can intercept and modify a user's authentication request to inject arbitrary headers via crafted HTTP requests.