{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35073", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-04-01T05:04:41.955Z", "datePublished": "2026-04-17T11:05:38.442Z", "dateUpdated": "2026-04-18T03:55:40.665Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-17T11:05:38.442Z"}, "datePublic": "2026-04-15T18:30:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "affected": [{"vendor": "Dell", "product": "PowerProtect Data Domain", "versions": [{"status": "affected", "version": "0", "lessThan": "8.7.0.1 or later", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "8.3.1.30 or later", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "7.13.1.70 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges."}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-35073"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-18T03:55:40.665Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35073", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-17T11:26:32.879959Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T11:26:38.363Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "PowerProtect Data Domain", "versions": [{"status": "affected", "version": "0", "lessThan": "8.7.0.1 or later", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "8.3.1.30 or later", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "7.13.1.70 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-15T18:30:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.", "supportingMedia": [{"type": "text/html", "value": "Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-17T11:05:38.442Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35073", "state": "PUBLISHED", "dateUpdated": "2026-04-18T03:55:40.665Z", "dateReserved": "2026-04-01T05:04:41.955Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-04-17T11:05:38.442Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC897776-0E86-478C-B120-1D5D89C2B488", "versionEndExcluding": "7.13.1.70", "versionStartIncluding": "7.7.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "A28B7834-5B62-4CDE-B628-0BAC62AADD08", "versionEndExcluding": "8.3.1.30", "versionStartIncluding": "7.14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:dell:data_domain_operating_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "1717B5B3-E190-4BE6-AAFC-CE0924D8497E", "versionEndIncluding": "8.6.1.10", "versionStartIncluding": "8.4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:dell:data_domain_operating_system:8.7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "00FDFE5B-55C4-4045-8BAC-73047E3F36EC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command injection vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges."}], "id": "CVE-2026-35073", "lastModified": "2026-05-08T15:09:54.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2026-04-17T11:16:10.610", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.7.0.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.3.1.30)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.13.1.70)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "PowerProtect Data Domain", "source": "cna", "vendor": "Dell"}, "product": "powerprotect_data_domain", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-18T09:22:49.915324+00:00", "value": {"mitigation_remediation": ["Apply Dell PowerProtect Data Domain DSA\u20112026\u2011060 security update from Dell support.", "Upgrade to a patched firmware version that falls outside the affected version ranges.", "Restart or reboot the affected services to ensure the patch is active and verify that no local accounts retain unnecessary elevated privileges."], "summary": {"action": "Patch", "impact": "Command execution with root privileges"}, "threat_synthesis": {"affected_systems": "Dell PowerProtect Data Domain versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, and LTS2024 release versions 7.13.1.0 through 7.13.1.60 are impacted.", "description_and_impact": "An improper neutralization of special elements in the OS command processing of Dell PowerProtect Data Domain allows an attacker with high local privileges to inject arbitrary commands. This flaw can be used to gain unrestricted root execution on the affected system.", "risk_and_exploitability": "The CVSS score of 6.7 indicates a medium severity vulnerability, and the EPSS score is not available. Because the flaw requires local high-privileged access, the attack vector is inferred to be local. The vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation to date. Nonetheless, the potential for root-level command execution warrants prompt attention."}}}}, "created": "2026-04-17T15:00:10.691476+00:00", "title": "OS Command Injection Vulnerability in Dell PowerProtect Data Domain", "updated": "2026-04-18T09:30:25.686540+00:00", "vendors": ["dell", "dell$PRODUCT$powerprotect_data_domain"]}