{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23861", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-01-16T18:05:07.319Z", "datePublished": "2026-02-17T13:47:23.893Z", "dateUpdated": "2026-02-17T14:34:00.591Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Unisphere for PowerMax vApp,", "vendor": "Dell", "versions": [{"lessThan": "9.2.4.19 or later", "status": "affected", "version": "N/A", "versionType": "semver"}]}], "datePublic": "2026-02-16T18:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.<br>"}], "value": "Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-17T13:47:23.893Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T14:33:52.304279Z", "id": "CVE-2026-23861", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:34:00.591Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23861", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T14:33:52.304279Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:33:56.292Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "Unisphere for PowerMax vApp,", "versions": [{"status": "affected", "version": "N/A", "lessThan": "9.2.4.19 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-16T18:30:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.", "supportingMedia": [{"type": "text/html", "value": "Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-17T13:47:23.893Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23861", "state": "PUBLISHED", "dateUpdated": "2026-02-17T14:34:00.591Z", "dateReserved": "2026-01-16T18:05:07.319Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-02-17T13:47:23.893Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery."}, {"lang": "es", "value": "Dell Unisphere for PowerMax vApp, versi\u00f3n(es) 9.2.4.x, contiene una vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('cross-site scripting'). Un atacante con pocos privilegios y acceso remoto podr\u00eda potencialmente explotar esta vulnerabilidad, lo que llevar\u00eda a la ejecuci\u00f3n de c\u00f3digo HTML o JavaScript malicioso en el navegador web de un usuario v\u00edctima en el contexto de la aplicaci\u00f3n web vulnerable. La explotaci\u00f3n puede llevar a revelaci\u00f3n de informaci\u00f3n, robo de sesi\u00f3n o falsificaci\u00f3n de solicitudes del lado del cliente."}], "id": "CVE-2026-23861", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2026-02-17T14:16:01.773", "references": [{"source": "security_alert@emc.com", "url": "https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,9.2.4.19)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "Unisphere for PowerMax vApp,", "source": "cna", "vendor": "Dell"}, "product": "unisphere_for_powermax", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-17T18:56:28.120167+00:00", "value": {"mitigation_remediation": ["Apply Dell's latest security patch for Unisphere for PowerMax vApp that fixes the XSS flaw.", "Restrict the Unisphere web interface to authorized users and trusted networks, enforcing role\u2011based access control and network segmentation.", "Ensure all user input is properly encoded before being rendered in HTML, and apply a strict Content Security Policy to prevent execution of injected scripts.", "Monitor application logs for signs of XSS exploitation attempts and review browser console errors for anomalous activity."], "summary": {"action": "Apply Patch", "impact": "Client\u2011side Web Application Manipulation"}, "threat_synthesis": {"affected_systems": "The affected product is Dell Unisphere for PowerMax vApp, specifically version 9.2.4.x. Clients with remote web access and low privileges are at risk, as the vulnerability is triggered through the web interface.", "description_and_impact": "Dell Unisphere for PowerMax vApp versions 9.2.4.x contain an Improper Neutralization of Input During Web Page Generation vulnerability that allows a low\u2011privileged, remote attacker to inject malicious HTML or JavaScript into the application\u2019s output. The injected code executes in the victim\u2019s web browser, potentially leading to information disclosure, session theft, or client\u2011side request forgery.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote access to the Unisphere web application and a low\u2011privileged attacker; the flaw is client\u2011side, meaning that mitigation relies primarily on patching or disabling the vulnerable functionality."}}}}, "created": "2026-02-18T10:43:53.827685+00:00", "title": "Cross\u2011Site Scripting in Dell Unisphere for PowerMax vApp", "updated": "2026-04-17T19:00:11.056034+00:00", "vendors": ["dell", "dell$PRODUCT$unisphere_for_powermax"]}