Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated cookie injection at a network-reachable endpoint gives AV:N/AC:L/PR:N/UI:N; disclosure of credentials usable beyond the database warrants S:C and C:H, with limited I:L and no availability impact.
Primary rating from Vendor (hq).
CVSS VectorVendor: hq
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to manipulate those queries and extract sensitive information from the underlying database, including session tokens, password hashes, and stored secret keys.
AnalysisAI
SQL injection in StoneFly Storage Concentrator (SC and SCVM) lets an unauthenticated remote attacker read sensitive database contents by injecting through the cookie value handled by the login.pl and debug.pl CGI scripts. Successful exploitation discloses session tokens, password hashes, and stored secret keys, enabling authentication bypass and broader compromise of the storage appliance. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network access to the Storage Concentrator web management interface and the ability to send an HTTP request with an attacker-chosen cookie value to the login.pl or debug.pl scripts - no authentication, no user interaction, and no non-default configuration are needed (PR:N/UI:N/AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk is high. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the appliance's web interface sends an HTTP request to login.pl or debug.pl with a crafted cookie containing SQL injection syntax. Because no authentication is required and complexity is low, the attacker iteratively extracts the credentials table, recovering password hashes, valid session tokens, and secret keys, then replays a stolen session token or cracked hash to authenticate as an administrator. … |
| Remediation | No vendor-released patch version was identified in the provided data; consult the CISA advisory (ICSA-26-181-06) and StoneFly support (https://stonefly.com/contact-us/) for an updated build and apply it as the primary fix once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all StoneFly Storage Concentrator instances (SC and SCVM models) and assess network exposure to affected CGI scripts (login.pl, debug.pl). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40459
GHSA-864f-9wr6-7qwp