Advisory ID: STONEFLY-SA-2026-001
Related Advisory: CISA ICSA-26-181-06
Severity: Critical (multiple vulnerabilities)
| Product | Affected Versions |
| Storage Concentrator | Versions earlier than 8.0.4.22, 8.0.4.26, or 8.0.4.29 depending on the vulnerability. |
| Storage Concentrator Virtual Machine (SCVM) | Versions earlier than 8.0.4.22, 8.0.4.26, or 8.0.4.29 depending on the vulnerability. |
| CVE | Type | CVSS v3.1 | Summary |
| CVE-2026-56413 | OS Command Injection | 10.0 | Unauthenticated command injection in a management service may allow arbitrary command execution with elevated privileges. |
| CVE-2026-56415 | OS Command Injection | 10.0 | Command injection in a debugging component may permit arbitrary operating system command execution. |
| CVE-2026-55721 | SQL Injection | 9.3 | Improper input validation may allow unauthenticated SQL injection and exposure of sensitive information. |
| CVE-2026-50110 | Hard-coded Credentials | 9.2 | Embedded credentials in internal components could enable unauthorized access if recovered. |
| CVE-2026-50040 | Reflected Cross-Site Scripting | Medium | Improper handling of user input on error pages may allow reflected XSS. |