An improper neutralization of special elements used in an OS command vulnerability (‘OS Command Injection’) [CWE-78] in FortiWeb may allow authenticated users to execute unauthorized code or commands via crafted HTTP GET requests to WAD configuration handlers.