Refine your search
1 vulnerability found for by Stormshield
CVE-2026-8474 (GCVE-0-2026-8474)
Vulnerability from cvelistv5
Published
2026-06-01 07:47
Modified
2026-06-01 13:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Summary
A vulnerability was discovered on Stormshield Network Security
* 4.3.0 to 4.3.41,
* 4.8.0 to 4.8.15,
* 5.0.0 to 5.0.5
It is possible to execute a reflected XSS attack on the login API available on Stormshield SNS appliance by executing a script on the victim's machine. The risks include the theft of cookies or other sensitive data, as well as the modification of page behavior, for example, by redirecting the victim to malicious websites.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StormShield | StormShield Network Security |
Version: 4.3.0 ≤ 4.3.41 Version: 4.8.0 ≤ 4.8.15 Version: 5.0.0 ≤ 5.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8474",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T13:05:31.957702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T13:05:45.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StormShield Network Security",
"vendor": "StormShield",
"versions": [
{
"lessThanOrEqual": "4.3.41",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.8.15",
"status": "affected",
"version": "4.8.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.0.5",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability was discovered on Stormshield Network Security\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e4.3.0 to 4.3.41,\u0026nbsp;\u003c/li\u003e\u003cli\u003e4.8.0 to 4.8.15,\u0026nbsp;\u003c/li\u003e\u003cli\u003e5.0.0 to 5.0.5\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eIt is possible to execute a reflected XSS attack on the login API available on Stormshield SNS appliance by executing a script on the victim\u0027s machine. The risks include the theft of cookies or other sensitive data, as well as the modification of page behavior, for example, by redirecting the victim to malicious websites.\u003c/p\u003e"
}
],
"value": "A vulnerability was discovered on Stormshield Network Security\u00a0\n\n\n\n\n\n * 4.3.0 to 4.3.41,\u00a0\n * 4.8.0 to 4.8.15,\u00a0\n * 5.0.0 to 5.0.5\n\n\n\n\n\n\n\n\nIt is possible to execute a reflected XSS attack on the login API available on Stormshield SNS appliance by executing a script on the victim\u0027s machine. The risks include the theft of cookies or other sensitive data, as well as the modification of page behavior, for example, by redirecting the victim to malicious websites."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T07:50:04.199Z",
"orgId": "24a3c815-5f22-4d74-967a-30958d6466f4",
"shortName": "airbus"
},
"references": [
{
"url": "https://advisories.stormshield.eu/2026-003/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe following updates fix this vulnerability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSNS 5.0.6\u003c/li\u003e\u003cli\u003eSNS 4.8.16\u003c/li\u003e\u003cli\u003eSNS 4.3.42\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The following updates fix this vulnerability:\n\n * SNS 5.0.6\n * SNS 4.8.16\n * SNS 4.3.42"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Possible to run a Cross Site Scripting request on the login API available on Stormshield SNS appliances.",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "24a3c815-5f22-4d74-967a-30958d6466f4",
"assignerShortName": "airbus",
"cveId": "CVE-2026-8474",
"datePublished": "2026-06-01T07:47:54.875Z",
"dateReserved": "2026-05-13T13:10:26.492Z",
"dateUpdated": "2026-06-01T13:05:45.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}