CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-50110

criticalCVSS 9.2covered by 2 sourcesfirst seen 2026-06-30
View CSAF Summary Successful exploitation of these vulnerabilities could allow attackers to gain broad unauthorized access, execute arbitrary commands with root privileges, steal sensitive data, and perform actions on behalf of legitimate users across interconnected systems. The following versions of StoneFly Storage Concentrator are affected: Storage Concentrator <8.0.4.22 (CVE-2026-56415, CVE-2026-55721, CVE-2026-50040) Storage Concentrator Virtual Machine <8.0.4.22 (CVE-2026-56415, CVE-2026-55721, CVE-2026-50040) Storage Concentrator <8.0.4.26 (CVE-2026-50110) Storage Concentrator Virtual Machine <8.0.4.26 (CVE-2026-50110) Storage Concentrator <8.0.4.29 (CVE-2026-56413) Storage Concentrator Virtual Machine <8.0.4.29 (CVE-2026-56413) CVSS Vendor Equipment Vulnerabilities v3 10 StoneFly StoneFly Storage Concentrator Use of Hard-coded Credentials, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Background Critical Infrastructure Sectors: Defense Industrial Base, Energy, Financial Services, Healthcare and Public Health, Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-50110 Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication services, and third-party integrations, meaning successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems. View CVE Details Affected Products StoneFly Storage Concentrator Vendor:

CSIRTS triage

vendor: StoneFlyproduct: Storage ConcentratorRemote code executionOtheraffected: <8.0.4.22 for Storage Concentrator and Virtual Machine, <8.0.4.26, <8.0.4.29
What
Exploitation could allow unauthorized access and execution of arbitrary commands with root privileges.
Who is affected
Users of Storage Concentrator and Virtual Machine with affected versions.
Urgency
Remediation is critical due to the severity of the vulnerabilities.
Action
Update to versions above the specified limits.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-50110

Get an email if CVE-2026-50110 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-50110

CVE.org record

Embed the live status

CVE-2026-50110 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-50110 status](https://www.csirts.com/badge/CVE-2026-50110)](https://www.csirts.com/cve/CVE-2026-50110)