Possible reflected XSS on login API

Possible reflected XSS on login API

Advisory ID	CVE Number	Date discovered	Severity	Advisory revision
STORM-2026-003	CVE-2026-8474	01/13/2026	medium	v2

Vulnerability details

It’s possible to run a Cross Site Scripting request on the login API available on Stormshield SNS appliances.

Impacted products

Products	Severity	Detail
Stormshield Network Security	medium	SNS is Impacted

Revisions

Version	Date	Description
v1	02/19/2026	Initial release
v2	05/21/2026	Published as disclosed

Stormshield Network Security

CVSS v3.1 Overall Score: 4.8

Analysis	Impacted version
It’s possible to run a Cross Site Scripting request on the login API available on Stormshield SNS appliances.	SNS 5.0.0 to 5.0.5 SNS 4.8.0 to 4.8.15 SNS 4.3.0 to 4.3.41

Workaround solution

Solution

There is no workaround solution.

The following updates will fix this vulnerability:

SNS 5.0.6
SNS 4.8.16
SNS 4.3.42

Attack Vector	Attack Complexity	Privileges Required	User Interaction	Scope	Confidentiality Impact	Integrity Impact	Availability impact
Network	Low	None	None	Unchanged	None	Low	None

CVSS Base score: 5.3	CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploit Code Maturity	Remediation Level	Report Confidence
Proof of concept code	Official fix	Confirmed

CVSS Temporal score: 4.8	CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C)

Confidentiality Requirement (CR)	Integrity Requirement (IR)	Availability Requirement (AR)
Medium	Medium	Medium

CVSS Environmental score: 4.8	CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C/CR:M/IR:M/AR:M/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

RSS Feed Contact Report a vulnerability Legal terms STORMSHIELD Corporate website Personal Data