{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22277", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-01-07T07:17:24.536Z", "datePublished": "2026-01-30T08:27:02.070Z", "dateUpdated": "2026-02-26T15:04:43.315Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "UnityVSA", "vendor": "Dell", "versions": [{"lessThan": "5.5.3", "status": "affected", "version": "N/A", "versionType": "semver"}]}], "datePublic": "2026-01-28T18:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "&nbsp; Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.<br>"}], "value": "Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-01-30T08:27:02.070Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000421197/dsa-2026-054-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22277", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-31T04:56:21.326370Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:43.315Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22277", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-31T04:56:21.326370Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T13:09:50.449Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "UnityVSA", "versions": [{"status": "affected", "version": "N/A", "lessThan": "5.5.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-01-28T18:30:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000421197/dsa-2026-054-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.", "supportingMedia": [{"type": "text/html", "value": "&nbsp; Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-01-30T08:27:02.070Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22277", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:04:43.315Z", "dateReserved": "2026-01-07T07:17:24.536Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-01-30T08:27:02.070Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:unity_operating_environment:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED4C4D95-DC2F-47F0-AC47-25C0418E601C", "versionEndExcluding": "5.5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges."}, {"lang": "es", "value": "Dell UnityVSA, versi\u00f3n(es) 5.4 y anteriores, contiene una vulnerabilidad de Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando de SO ('inyecci\u00f3n de comandos de SO'). Un atacante con privilegios bajos y acceso local podr\u00eda potencialmente explotar esta vulnerabilidad, lo que lleva a la ejecuci\u00f3n arbitraria de comandos con privilegios de root."}], "id": "CVE-2026-22277", "lastModified": "2026-03-10T18:21:46.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2026-01-30T09:15:51.090", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000421197/dsa-2026-054-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T19:48:29.624041+00:00", "value": {"mitigation_remediation": ["Apply the Dell UnityVSA security update that removes the vulnerable command\u2011injection path and sanitizes all command inputs.", "Restrict local or console access to the UnityVSA appliance by using network segmentation or firewall rules to limit management interfaces to trusted hosts.", "Enforce least\u2011privilege principles on the accounts running UnityVSA services to limit the impact of any command\u2011execution attempts."], "summary": {"action": "Patch", "impact": "Local privilege escalation via OS command injection"}, "threat_synthesis": {"affected_systems": "Dell UnityVSA operating environment versions 5.4 and prior are affected.", "description_and_impact": "Dell UnityVSA, version\u202f5.4 and earlier, contains a command\u2011injection flaw (CWE\u201178) caused by improper neutralization of special elements used in an OS command string. A local, low\u2011privileged attacker who can provide input to the appliance can cause arbitrary command execution with root privileges, potentially taking full control of the appliance.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity. The EPSS score is below 1\u202f%, suggesting a very low likelihood of exploitation. The flaw is not listed in CISA KEV. Local access is required, so only users or attackers with physical or network access to the appliance may exploit this vulnerability."}}}}, "created": "2026-02-02T09:27:50.727587+00:00", "title": "Root Privilege Command Injection in Dell UnityVSA 5.4 and Earlier", "updated": "2026-04-18T20:00:09.278793+00:00", "vendors": ["dell", "dell$PRODUCT$unity", "dell$PRODUCT$unityvsa_operating_environment"]}