CVE-2026-55721
SQL Injection in StoneFly Storage Concentrator
CVSS Score
9.3
EPSS Score
0.0%
EPSS Percentile
0th
Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to manipulate those queries and extract sensitive information from the underlying database, including session tokens, password hashes, and stored secret keys.
| CWE | CWE-89 |
| Vendor | stonefly |
| Product | storage concentrator |
| Published | Jun 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for stonefly storage concentrator
Be the first to know when new critical vulnerabilities affecting stonefly storage concentrator are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
StoneFly / Storage Concentrator
0 < 8.0.4.22
StoneFly / Storage Concentrator Virtual Machine
0 < 8.0.4.22
References
Credits
๐ David Yesland of Rhino Security Labs reported this vulnerability to CISA.