SQL Injection Vulnerability in Storage Concentrator by StoneFly
CVE-2026-55721

9.2CRITICAL

What is CVE-2026-55721?

The Storage Concentrator and its virtual machine counterpart are susceptible to SQL injection due to improper handling of cookie values within login and debug scripts. An attacker can exploit this flaw by sending crafted cookie data, which is directly inserted into database queries without proper validation. This can lead to unauthorized access to sensitive information, including session tokens, password hashes, and secret keys stored in the database, significantly compromising system security.

Affected Version(s)

Storage Concentrator 0 < 8.0.4.22

Storage Concentrator Virtual Machine 0 < 8.0.4.22

Storage Concentrator 8.0.4.29

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

David Yesland of Rhino Security Labs reported this vulnerability to CISA.
.