MEDIUM 5.3

CVE-2026-8474: Reflected XSS in Stormshield SNS Login API

A reflected cross-site scripting (XSS) vulnerability exists in the login API of Stormshield Network Security (SNS) appliances. An attacker can craft a malicious link or inject code that, when accessed by a user, executes arbitrary JavaScript in their browser. This could allow theft of session cookies, capture of credentials, or redirection to phishing sites. The vulnerability affects versions 4.3.0–4.3.41, 4.8.0–4.8.15, and 5.0.0–5.0.5.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A vulnerability was discovered on Stormshield Network Security  * 4.3.0 to 4.3.41,  * 4.8.0 to 4.8.15,  * 5.0.0 to 5.0.5 It is possible to execute a reflected XSS attack on the login API available on Stormshield SNS appliance by executing a script on the victim's machine. The risks include the theft of cookies or other sensitive data, as well as the modification of page behavior, for example, by redirecting the victim to malicious websites.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8474 is a reflected XSS vulnerability (CWE-79) in the Stormshield SNS login API. The flaw allows unauthenticated attackers to inject malicious scripts into the login interface without requiring user interaction beyond clicking a link. The attack vector is network-based, requires no privileges, and does not depend on special configurations. The vulnerability has a CVSS 3.1 score of 5.3 (Medium severity) with a vector indicating low integrity impact and no confidentiality or availability impact in the CVSS model—though in practice, XSS can facilitate credential theft or privilege escalation through session hijacking.

Business impact

If exploited, this vulnerability could compromise administrator or operator access to SNS appliances, potentially allowing attackers to bypass network security controls, modify firewall rules, or extract sensitive configuration data. For organizations relying on SNS for perimeter defense, successful exploitation could create a foothold for lateral movement into protected networks. The reflected nature of the attack means it requires social engineering (e.g., phishing links) but does not require the attacker to compromise the appliance itself—the victim's browser becomes the attack vector.

Affected systems

Stormshield Network Security appliances running versions 4.3.0 through 4.3.41, 4.8.0 through 4.8.15, and 5.0.0 through 5.0.5 are vulnerable. Organizations should identify all SNS instances and verify their firmware versions against this list. Patched versions will be available from Stormshield; consult their security advisory for exact fixed versions.

Exploitability

This vulnerability is relatively straightforward to exploit from a technical standpoint. An attacker crafts a URL containing malicious JavaScript, embeds it in a phishing email or compromised website, and waits for an SNS administrator to click the link. No authentication is required, and the attack succeeds on the victim's machine without requiring the attacker to interact with the appliance directly. However, exploitability in the wild depends on the attacker's ability to socially engineer a targeted user, which adds friction. The vulnerability is not listed in the CISA KEV catalog, suggesting limited evidence of active weaponization as of the publication date.

Remediation

Immediately upgrade affected SNS appliances to patched firmware versions provided by Stormshield. Verify the specific patch versions in Stormshield's official security advisory. As an interim measure, restrict access to the SNS login API to trusted IP ranges, implement Web Application Firewall (WAF) rules to sanitize input on the login interface, and educate administrators about phishing risks. Monitor logs for suspicious input patterns or unusual login attempts.

Patch guidance

Contact Stormshield and consult their security advisory for the exact patched firmware versions for each affected branch (4.3.x, 4.8.x, 5.0.x). Firmware updates should be tested in a staging environment before production deployment. Plan patching during a maintenance window, as appliance updates may require brief downtime. Verify patch application by confirming the new firmware version in the appliance management interface post-update.

Detection guidance

Monitor SNS appliance logs for unusual characters or script tags in login API requests (payloads containing <script>, onerror=, onclick=, etc.). Web-based vulnerability scanners can identify reflected XSS by injecting test payloads into login parameters and observing if they are echoed unsanitized in responses. For proactive detection, implement input validation testing and consider deploying a WAF in front of the appliance to filter malicious payloads. Monitor for abnormal login sessions or browser-based attacks originating from administrator workstations.

Why prioritize this

Although the CVSS score is Medium (5.3), the practical risk is higher because SNS appliances are critical security infrastructure. Compromise of an appliance's administrator interface could allow attackers to disable or reconfigure firewalls, rules, or VPN settings, directly impacting the security posture of the entire protected network. Reflected XSS targeting admin users is a well-established attack pattern. Organizations with high-privileged SNS users should patch promptly.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects limited direct integrity impact (the XSS modifies the client-side page, not the appliance state directly) and no confidentiality or availability impact in the scoring model. However, this understates the real-world risk: successful exploitation can lead to session hijacking, credential theft, or privilege escalation. Organizations should contextualize the Medium severity rating by considering the appliance's role in their security infrastructure and the likelihood that administrators can be socially engineered.

Frequently asked questions

Can this vulnerability be exploited without social engineering?

No. A reflected XSS attack requires the victim to click a malicious link or access a compromised page. The vulnerability cannot be exploited remotely by simply sending a request to the appliance; the victim's browser must execute the injected script. This makes phishing or social engineering a necessary component of any attack.

What versions of Stormshield SNS are safe?

Versions prior to 4.3.0, versions 4.3.42 and later (if available), 4.8.16 and later, and 5.0.6 and later are expected to be unaffected. Verify exact patched versions in Stormshield's official security advisory, as minor version numbering may vary.

Can internal network segmentation reduce the risk?

Yes. If the SNS appliance's login API is accessible only to a restricted set of management workstations or VPN clients, the attack surface is reduced. However, this does not eliminate the risk if any of those trusted users can be socially engineered. Patching remains the primary mitigation.

Will a WAF prevent this attack?

A properly configured WAF can block requests containing XSS payloads (script tags, event handlers, etc.) before they reach the login API, effectively mitigating the vulnerability. However, WAF rules must be tuned carefully to avoid false positives on legitimate login parameters, and the WAF must be kept updated with rules for new XSS evasion techniques.

This analysis is provided for informational purposes and reflects the vulnerability details available as of June 2026. Organizations must verify all patch versions, affected system configurations, and remediation steps against Stormshield's official security advisories and release notes. SEC.co makes no warranty regarding the accuracy or completeness of this information and assumes no liability for patching errors, misconfigurations, or operational disruptions. Consult your vendor and test all updates in a staging environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).