Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges on the underlying system.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
StoneFly recommends that users upgrade to Storage Concentrator version 8.0.4.29 or later to remediate these vulnerabilities.
Workaround
No workaround given by the vendor.
References
History
Tue, 30 Jun 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges on the underlying system. | |
| Title | OS Command Injection in StoneFly Storage Concentrator | |
| Weaknesses | CWE-78 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: icscert
Published:
Updated: 2026-06-30T22:40:55.582Z
Reserved: 2026-06-22T20:13:36.516Z
Link: CVE-2026-56415
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T09:00:14Z
Weaknesses