Skip to main content

Storage Concentrator Virtual Machine

1 CVEs product

Monthly

CVE-2026-50040 MEDIUM PATCH CISA This Month

Reflected XSS in Stonefly Storage Concentrator (SC) and Storage Concentrator Virtual Machine (SCVM) allows an unauthenticated attacker to craft a malicious URL that, when opened by an authenticated storage administrator, causes arbitrary JavaScript to execute within the victim's browser session under the application's origin. The vulnerability stems from unsanitized user-supplied content being echoed directly into 404 error page responses, enabling session cookie theft, unauthorized administrative actions, or user redirection against storage management infrastructure. Reported via ICS-CERT (CISA advisory ICSA-26-181-06), no public exploit code or CISA KEV listing has been identified at time of analysis, though the ICS/OT context amplifies the downstream impact of successful exploitation.

XSS Storage Concentrator Storage Concentrator Virtual Machine
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Reflected XSS in Stonefly Storage Concentrator (SC) and Storage Concentrator Virtual Machine (SCVM) allows an unauthenticated attacker to craft a malicious URL that, when opened by an authenticated storage administrator, causes arbitrary JavaScript to execute within the victim's browser session under the application's origin. The vulnerability stems from unsanitized user-supplied content being echoed directly into 404 error page responses, enabling session cookie theft, unauthorized administrative actions, or user redirection against storage management infrastructure. Reported via ICS-CERT (CISA advisory ICSA-26-181-06), no public exploit code or CISA KEV listing has been identified at time of analysis, though the ICS/OT context amplifies the downstream impact of successful exploitation.

XSS Storage Concentrator Storage Concentrator Virtual Machine
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy