CVE-2026-8474
Description
Reflected XSS vulnerability in Stormshield SNS login API allows cookie theft and page manipulation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS vulnerability in Stormshield SNS login API allows cookie theft and page manipulation.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the login API of Stormshield Network Security (SNS) appliances. The vulnerability affects SNS versions 4.3.0 to 4.3.41, 4.8.0 to 4.8.15, and 5.0.0 to 5.0.5 [1]. An attacker can inject arbitrary JavaScript code into the login API response, which is then executed in the victim's browser.
Exploitation
The attacker can exploit this vulnerability by sending a crafted HTTP request to the login API endpoint. The attack requires no authentication or user interaction (CVSS: UI:N) [1]. The attacker can lure the victim to a malicious link or embed the request in a webpage; when the victim navigates to the crafted URL, the injected script executes in the context of the SNS web interface.
Impact
Successful exploitation allows the attacker to steal session cookies, deface the page, or redirect the victim to malicious websites. The CVSS scores indicate a low integrity impact and no confidentiality impact; however, cookie theft can lead to session hijacking.
Mitigation
Stormshield has released fixed versions: SNS 5.0.6, 4.8.16, and 4.3.42 [1]. No workaround is available. Users should upgrade to the latest patched version as soon as possible.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=4.3.0 <=4.3.41, >=4.8.0 <=4.8.15, >=5.0.0 <=5.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output encoding in the login API response allows attacker-supplied input to be interpreted as HTML/JavaScript."
Attack vector
An unauthenticated attacker sends a crafted HTTP request to the SNS login API with a malicious payload embedded in a parameter. Because no user interaction is required (UI:N) and no privileges are needed (PR:N), the attacker only needs to lure the victim into visiting a crafted URL. The reflected payload executes in the victim's browser in the context of the SNS appliance's origin, enabling cookie theft or page redirection [ref_id=1].
Affected code
The advisory identifies the login API on Stormshield SNS appliances as the vulnerable component [ref_id=1]. No specific function names or file paths are disclosed.
What the fix does
The advisory does not include a patch diff, but the remediation is to upgrade to SNS 5.0.6, SNS 4.8.16, or SNS 4.3.42 [ref_id=1]. These fixed versions properly encode or sanitize user-supplied input before reflecting it in the login API response, preventing script injection. No workaround is available [ref_id=1].
Preconditions
- networkAttacker must be able to send HTTP requests to the SNS login API endpoint.
- inputVictim must visit a crafted URL containing the XSS payload.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.