PowerFlex Manager
CVE-2026-35068
MEDIUM
Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Adjacent vector and low-privilege requirement confirmed by description; read-only SQL injection yields only partial confidentiality loss with no integrity or availability impact.
Primary rating from Vendor (dell).
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure.
AnalysisAI
SQL injection in Dell PowerFlex Manager exposes database contents to low-privileged adjacent-network attackers via insufficiently sanitized SQL command input. The vulnerability requires both network adjacency and existing low-level credentials, limiting its reach considerably from an opportunistic threat standpoint. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concrete preconditions: (1) the attacker must possess a valid low-privileged account on the Dell PowerFlex Manager application (PR:L), and (2) the attacker's system must be network-adjacent to the PowerFlex Manager interface - meaning on the same Layer-2 segment, VLAN, or directly connected management network (AV:A). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The aggregate risk signal for this vulnerability is LOW. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged PowerFlex Manager account - such as a read-only monitoring account or a compromised service credential - positioned on the same management network segment sends a crafted HTTP request containing malicious SQL metacharacters to a vulnerable API or UI endpoint. The injected SQL fragment alters the intended query, causing the database to return rows outside the attacker's intended data scope, potentially including configuration details, credentials stored in the management database, or tenant/node metadata. … |
| Remediation | Consult Dell Security Advisory DSA-2026-066 at https://www.dell.com/support/kbdoc/en-us/000477538/dsa-2026-066-security-update-for-powerflex-software-multiple-vulnerabilities to identify the exact patched version applicable to your deployment; the input data does not supply a specific fixed version number so 'Patch available per vendor advisory' is the most accurate characterization of patch status at this time. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Missing authentication on a critical function in Dell PowerFlex Manager allows an adjacent-network attacker to invoke pr
Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain
Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypas
SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL comm
Privilege escalation in Dell PowerFlex Manager allows a low-privileged attacker on an adjacent network segment to bypass
Share
External POC / Exploit Code
Leaving vuln.today