{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26357", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-02-13T18:05:27.825Z", "datePublished": "2026-02-17T19:41:10.526Z", "dateUpdated": "2026-03-06T18:57:26.524Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Unisphere for PowerMax 9.2.4.18", "vendor": "Dell", "versions": [{"lessThan": "9.2.4.19", "status": "affected", "version": "N/A", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Unisphere for PowerMax Virtual Appliance 9.2.4.17", "vendor": "Dell", "versions": [{"lessThan": "9.2.4.19", "status": "affected", "version": "N/A", "versionType": "semver"}]}], "datePublic": "2026-02-17T18:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery."}], "value": "Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-17T19:41:10.526Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-21T21:13:37.568210Z", "id": "CVE-2026-26357", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:57:26.524Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26357", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-21T21:13:37.568210Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:57:21.592Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "Unisphere for PowerMax 9.2.4.18", "versions": [{"status": "affected", "version": "N/A", "lessThan": "9.2.4.19", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Dell", "product": "Unisphere for PowerMax Virtual Appliance 9.2.4.17", "versions": [{"status": "affected", "version": "N/A", "lessThan": "9.2.4.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-17T18:00:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.", "supportingMedia": [{"type": "text/html", "value": "Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-17T19:41:10.526Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26357", "state": "PUBLISHED", "dateUpdated": "2026-03-06T18:57:26.524Z", "dateReserved": "2026-02-13T18:05:27.825Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-02-17T19:41:10.526Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery."}, {"lang": "es", "value": "Dell Unisphere para PowerMax, versi\u00f3n(es) 9.2.4.x, tiene una vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting'). Un atacante con pocos privilegios con acceso remoto podr\u00eda, potencialmente, explotar esta vulnerabilidad, lo que llevar\u00eda a la ejecuci\u00f3n de c\u00f3digo HTML o JavaScript malicioso en el navegador web de un usuario v\u00edctima en el contexto de la aplicaci\u00f3n web vulnerable. La explotaci\u00f3n puede llevar a revelaci\u00f3n de informaci\u00f3n, robo de sesi\u00f3n, o falsificaci\u00f3n de solicitudes del lado del cliente."}], "id": "CVE-2026-26357", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2026-02-17T20:22:10.437", "references": [{"source": "security_alert@emc.com", "url": "https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,9.2.4.19)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Unisphere for PowerMax 9.2.4.18", "source": "cna", "vendor": "Dell"}, "product": "unisphere_for_powermax", "vendor": "dell"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,9.2.4.19)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "Unisphere for PowerMax Virtual Appliance 9.2.4.17", "source": "cna", "vendor": "Dell"}, "product": "unisphere_for_powermax_virtual_appliance", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-16T17:07:42.325477+00:00", "value": {"mitigation_remediation": ["Download and install the Dell Unisphere for PowerMax security update that addresses the XSS flaw (v9.2.4.18 for PowerMax and v9.2.4.17 for the Virtual Appliance).", "Restart the Unisphere services after applying the update so that the web application loads the patched code.", "If an immediate update is not possible, restrict external access to the Unisphere web UI by applying firewall rules or VPN\u2011only access to limit exposure to trusted users. ", "Deploy a web application firewall or enable browser\u2011side XSS protections to mitigate risk until the official patch is applied."], "summary": {"action": "Patch Immediately", "impact": "Client-side cross\u2011site scripting enabling session theft, data disclosure, and request forgery"}, "threat_synthesis": {"affected_systems": "Impact is limited to Dell Unisphere for PowerMax 9.2.4.18 and Dell Unisphere for PowerMax Virtual Appliance 9.2.4.17. These are the only versions explicitly identified as vulnerable in the advisory.", "description_and_impact": "This vulnerability is a cross\u2011site scripting flaw in the web interface of Dell Unisphere for PowerMax 9.2.4.x and its Virtual Appliance 9.2.4.x. An attacker with low privileges but remote access to the web UI can inject malicious scripts that will execute in the victim\u2019s browser while they are logged into the application. The impact is client\u2011side code execution, allowing attackers to steal session cookies, expose sensitive data, or forge client\u2011side requests on the victim\u2019s behalf.", "risk_and_exploitability": "The CVSS base score of 5.4 indicates medium severity. The EPSS score of <1% suggests a low probability of exploitation under current conditions and the vulnerability is not listed in the CISA KEV catalog. Attackers would need network access to the Unisphere web interface and a user who visits a crafted page; a successful attack would be confined to the victim\u2019s browser and would not break out of the sandbox to affect the host system."}}}}, "created": "2026-02-18T10:33:27.505585+00:00", "title": "Cross\u2011site Scripting Vulnerability in Dell Unisphere for PowerMax Web Interface", "updated": "2026-04-16T17:15:17.986732+00:00", "vendors": ["dell", "dell$PRODUCT$unisphere_for_powermax", "dell$PRODUCT$unisphere_for_powermax_virtual_appliance"]}