{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22762", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-01-09T18:05:08.763Z", "datePublished": "2026-02-17T19:53:45.219Z", "dateUpdated": "2026-03-06T15:35:21.083Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Avamar Server", "vendor": "Dell", "versions": [{"lessThan": "19.10 SP1 with CHF 338912 or later", "status": "affected", "version": "19.9 through 19.10 SP1", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Avamar Virtual Edition", "vendor": "Dell", "versions": [{"lessThan": "19.10 SP1 with CHF 338912 or later", "status": "affected", "version": "19.9 through 19.10 SP1", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "PowerProtect DP Series Appliance (IDPA)", "vendor": "Dell", "versions": [{"lessThan": "2.7.9 with AV CHF 338912", "status": "affected", "version": "N/A", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dell would like to thank LIUPENG for reporting this issue."}], "datePublic": "2026-02-17T18:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Dell Avamar Server and Avamar Virtual Edition, versions prior to 19.10 SP1 with CHF338912, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary file delete."}], "value": "Dell Avamar Server and Avamar Virtual Edition, versions prior to 19.10 SP1 with CHF338912, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary file delete."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-17T19:53:45.219Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000425796/dsa-2026-053-security-update-for-dell-avamar-server-and-dell-avamar-virtual-edition-improper-limitation-of-a-pathname-to-a-restricted-directory-path-traversal-vulnerability"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T19:02:35.792305Z", "id": "CVE-2026-22762", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:35:21.083Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22762", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T19:02:35.792305Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:35:15.398Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Dell would like to thank LIUPENG for reporting this issue."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "Avamar Server", "versions": [{"status": "affected", "version": "19.9 through 19.10 SP1", "lessThan": "19.10 SP1 with CHF 338912 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Dell", "product": "Avamar Virtual Edition", "versions": [{"status": "affected", "version": "19.9 through 19.10 SP1", "lessThan": "19.10 SP1 with CHF 338912 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Dell", "product": "PowerProtect DP Series Appliance (IDPA)", "versions": [{"status": "affected", "version": "N/A", "lessThan": "2.7.9 with AV CHF 338912", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-17T18:00:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000425796/dsa-2026-053-security-update-for-dell-avamar-server-and-dell-avamar-virtual-edition-improper-limitation-of-a-pathname-to-a-restricted-directory-path-traversal-vulnerability", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Dell Avamar Server and Avamar Virtual Edition, versions prior to 19.10 SP1 with CHF338912, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary file delete.", "supportingMedia": [{"type": "text/html", "value": "Dell Avamar Server and Avamar Virtual Edition, versions prior to 19.10 SP1 with CHF338912, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary file delete.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-17T19:53:45.219Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22762", "state": "PUBLISHED", "dateUpdated": "2026-03-06T15:35:21.083Z", "dateReserved": "2026-01-09T18:05:08.763Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-02-17T19:53:45.219Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dell Avamar Server and Avamar Virtual Edition, versions prior to 19.10 SP1 with CHF338912, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary file delete."}, {"lang": "es", "value": "Dell Avamar Server y Avamar Virtual Edition, versiones anteriores a 19.10 SP1 con CHF338912, contiene una vulnerabilidad de seguridad de limitaci\u00f3n inadecuada de un nombre de ruta a un directorio restringido ('Salto de ruta'). Un atacante con muchos privilegios y acceso remoto podr\u00eda potencialmente explotar esta vulnerabilidad, lo que podr\u00eda llevar a la eliminaci\u00f3n arbitraria de archivos."}], "id": "CVE-2026-22762", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2026-02-17T20:22:09.647", "references": [{"source": "security_alert@emc.com", "url": "https://www.dell.com/support/kbdoc/en-us/000425796/dsa-2026-053-security-update-for-dell-avamar-server-and-dell-avamar-virtual-edition-improper-limitation-of-a-pathname-to-a-restricted-directory-path-traversal-vulnerability"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[19.9,19.10 SP1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Avamar Server", "source": "cna", "vendor": "Dell"}, "product": "avamar_server", "vendor": "dell"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[19.9,19.10 SP1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Avamar Virtual Edition", "source": "cna", "vendor": "Dell"}, "product": "avamar_virtual_edition", "vendor": "dell"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.7.9 with AV CHF 338912)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "PowerProtect DP Series Appliance (IDPA)", "source": "cna", "vendor": "Dell"}, "product": "powerprotect_dp_series_appliance_(idpa)", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-17T18:53:23.928878+00:00", "value": {"mitigation_remediation": ["Apply Dell security update DSA-2026-053 to upgrade to 19.10 SP1 or later.", "Revoke or remove unnecessary high-privileged remote access to the Avamar management interface.", "Implement network segmentation or firewall rules to restrict external remote connections to the Avamar appliance and continuously monitor logs for unauthorized privileged actions."], "summary": {"action": "Apply Patch", "impact": "Arbitrary file deletion"}, "threat_synthesis": {"affected_systems": "Dell Avamar Server and Dell Avamar Virtual Edition, versions earlier than 19.10 SP1 with CHF338912, as well as Dell PowerProtect DP Series Appliance (IDPA), are susceptible to this flaw. These products rely on proper pathname limitation to prevent file system traversal.", "description_and_impact": "The vulnerability is an Improper Limitation of a Pathname to a Restricted Directory, known as a path traversal flaw. It allows a high-privileged attacker who can reach the Avamar system remotely to delete any file on the appliance's file system, potentially compromising data integrity and availability. This is a direct consequence of the CWE-22 weakness, leading to destructive operations rather than code execution or data exfiltration.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium severity, while the EPSS score of less than 1% suggests that the likelihood of exploitation is low at this time. The vulnerability can be used by an attacker who possesses high-privileged remote access to the Avamar appliance to delete arbitrary files, potentially leading to data loss or service disruption. The flaw is not listed in the CISA KEV catalog, implying no publicly known active exploits."}}}}, "created": "2026-02-18T10:33:23.276591+00:00", "title": "Path Traversal Allowing Arbitrary File Deletion in Dell Avamar", "updated": "2026-04-17T19:00:11.041171+00:00", "vendors": ["dell", "dell$PRODUCT$avamar_server", "dell$PRODUCT$avamar_virtual_edition", "dell$PRODUCT$powerprotect_dp_series_appliance_(idpa)"]}