CVE-2026-56415
CRITICALOS Command Injection in StoneFly Storage Concentrator
Title source: cnaDescription
Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges on the underlying system.
Scores
CVSS v3
10.0
EPSS
0.0307
EPSS Percentile
86.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (4)
Stonefly/Storage Concentrator
< 8.0.4.22
Stonefly/Storage Concentrator
8.0.4.29
Stonefly/Storage Concentrator Virtual Machine
< 8.0.4.22
Stonefly/Storage Concentrator Virtual Machine
8.0.4.29
Published
Jun 30, 2026
Tracked Since
Jul 01, 2026