Add vpatch-CVE-2026-39808 rule and test

[crowdsec-automation]

This rule targets the Fortinet FortiSandbox command injection vulnerability (CVE-2026-39808) by focusing on the vulnerable endpoint /fortisandbox/job-detail/tracer-behavior and the jid parameter. The attack leverages shell metacharacters, specifically the sequence |(, which is used in the exploit payload to inject OS commands. The rule:

• Matches requests to the vulnerable URI, using lowercase and urldecode transforms to ensure normalization and case insensitivity.
• Specifically inspects the jid argument for the presence of the |( pattern, which is indicative of command injection attempts.
• The transforms ensure that encoded or case-variant payloads are detected.
• The labels section includes the correct CVE, ATT&CK, and CWE references, and the rule is classified as an RCE for FortiSandbox.
• The test nuclei template is adapted to expect a 403 response, as required for WAF detection validation.

Validation Checklist:

• All value: fields are lowercase.
• All relevant transforms include lowercase (and urldecode where applicable).
• No match.value contains capital letters.
• The rule uses contains instead of regex where applicable.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2026-39808 🔴

[github-actions]

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!