Back to overview

CVE-2026-50040

MEDIUM
6.1
CVSS 3.1
Description
Storage Concentrator (SC & SCVM) is vulnerable to reflected cross-site scripting due to unsanitized content being echoed back in 404 error pages. An attacker can craft a malicious URL that, when visited by an authenticated user, causes arbitrary script content to execute within the victim's browser session in the context of the application. This could be leveraged to steal session cookies, redirect users, or perform unauthorized actions on behalf of the victim.

Metadata

CVE ID
CVE-2026-50040
State
PUBLISHED
Assigner
icscert
Reserved
2026-06-22 20:13 UTC
Published
2026-06-30 22:27 UTC
Last updated
2026-06-30 22:27 UTC
Primary CWE
CWE-79
CWE-79 Improper neutralization of input during web page gene…
Vendor / Product
StoneFly / Storage Concentrator
Sources
cve.org  ·  NVD

Severity & Metrics

6.1 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products (2)
VendorProductPlatformVersions
StoneFly Storage Concentrator 0 < 8.0.4.22, 8.0.4.29
StoneFly Storage Concentrator Virtual Machine 0 < 8.0.4.22, 8.0.4.29
Weakness (CWE)
CWESourceDescription
CWE-79 cna CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.1 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.1 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N
Back to overview