{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26359", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-02-13T18:05:27.826Z", "datePublished": "2026-02-19T08:34:01.506Z", "dateUpdated": "2026-02-26T14:44:14.935Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Unisphere for PowerMax", "vendor": "Dell", "versions": [{"lessThan": "10.3.0.1 or later", "status": "affected", "version": "N/A", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "PowerMax", "vendor": "Dell", "versions": [{"lessThan": "10.3.0.1 or later", "status": "affected", "version": "N/A", "versionType": "semver"}]}], "datePublic": "2026-02-18T18:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the ability to overwrite arbitrary files.<br>"}], "value": "Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the ability to overwrite arbitrary files."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-19T08:34:01.506Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000429268/dsa-2026-102-dell-unisphere-for-powermax-and-powermax-eem-security-update-for-multiple-vulnerabilities"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26359", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T04:55:48.613396Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:14.935Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26359", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T04:55:48.613396Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T16:00:47.192Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "Unisphere for PowerMax", "versions": [{"status": "affected", "version": "N/A", "lessThan": "10.3.0.1 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Dell", "product": "PowerMax", "versions": [{"status": "affected", "version": "N/A", "lessThan": "10.3.0.1 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-18T18:30:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000429268/dsa-2026-102-dell-unisphere-for-powermax-and-powermax-eem-security-update-for-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the ability to overwrite arbitrary files.", "supportingMedia": [{"type": "text/html", "value": "Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the ability to overwrite arbitrary files.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-19T08:34:01.506Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26359", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:14.935Z", "dateReserved": "2026-02-13T18:05:27.826Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-02-19T08:34:01.506Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:unisphere_for_powermax:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E2B8D81-A040-4365-B089-38A241734AF8", "versionEndExcluding": "10.3.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:unisphere_for_powermax:*:*:*:*:eem:*:*:*", "matchCriteriaId": "AD314301-3DEB-46C2-A641-C463CF25F6E0", "versionEndExcluding": "10.3.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the ability to overwrite arbitrary files."}], "id": "CVE-2026-26359", "lastModified": "2026-02-20T20:58:50.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2026-02-19T09:16:25.573", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000429268/dsa-2026-102-dell-unisphere-for-powermax-and-powermax-eem-security-update-for-multiple-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.3.0.1)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "PowerMax", "source": "cna", "vendor": "Dell"}, "product": "powermax_os", "vendor": "dell"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.3.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Unisphere for PowerMax", "source": "cna", "vendor": "Dell"}, "product": "unisphere_for_powermax", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-17T18:10:53.680896+00:00", "value": {"mitigation_remediation": ["Apply the Dell security update that patches Unisphere for PowerMax to version 10.2 or later; download the update from Dell\u2019s support site.", "Restrict Unisphere web interface access to trusted administrative networks and ensure that only users with properly scoped privileges can connect remotely.", "Enforce strong authentication, session timeouts, and limit exposed management ports to reduce the window of opportunity for attackers."], "summary": {"action": "Patch", "impact": "Arbitrary File Overwrite via External Control of File Name or Path"}, "threat_synthesis": {"affected_systems": "Dell PowerMax systems running Dell Unisphere for PowerMax version 10.2 are impacted. The vulnerability exists in both the core Unisphere product and the EEM component handling file operations.", "description_and_impact": "A remote attacker with limited privileges can craft requests to Dell Unisphere for PowerMax that exploit an external control of file name or path flaw. This weakness, classified as CWE\u201173, permits the attacker to overwrite any file the application identifies, potentially corrupting configuration files or installing malicious code. The impact is the loss of data integrity, and in a worst\u2011case scenario, it could compromise the entire storage system.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, but the EPSS score of less than 1% suggests that, as of now, exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a low\u2011privileged attacker accessing the Unisphere web interface remotely; no exploit code is publicly documented, but the flaw can be used in a targeted attack if the attacker can reach the interface."}}}}, "created": "2026-02-20T10:07:56.466769+00:00", "title": "Unisphere for PowerMax External File Path Control Vulnerability", "updated": "2026-04-17T18:15:26.778608+00:00", "vendors": ["dell", "dell$PRODUCT$powermax_os", "dell$PRODUCT$unisphere_for_powermax"]}