Skip to main content

Dell PowerFlex Manager CVE-2026-35069

HIGH
SQL Injection (CWE-89)
2026-06-17 dell
Dell SQLi Powerflex
8.0
CVSS 3.1 · NVD
Share

Severity by source

Vendor (dell) PRIMARY
MEDIUM
qualitative
NVD
8.0 HIGH
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.0 HIGH

Adjacent management network and low-privileged app account required (AV:A, PR:L); SQLi against backend DB yields high C/I/A with no scope change.

3.1 AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (dell).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 22, 2026 - 18:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 18:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 18:53 vuln.today
cvss_changed
Severity Changed
Jun 22, 2026 - 18:53 NVD
MEDIUM HIGH
CVSS changed
Jun 22, 2026 - 18:53 NVD
5.7 (MEDIUM) 8.0 (HIGH)
Analysis Generated
Jun 17, 2026 - 16:56 vuln.today

DescriptionNVD

Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection.

AnalysisAI

SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL commands that the application processes against its backend database, leading to script injection and potential compromise of confidentiality, integrity, and availability. The flaw is reported by Dell with no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain foothold on storage management VLAN
Delivery
Authenticate with low-privileged PowerFlex role
Exploit
Submit crafted input to vulnerable endpoint
Execution
Backend concatenates input into SQL query
Persist
Read/modify database and store script payload
Impact
Admin views page and triggers injected script
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network adjacency to the PowerFlex management interface - i.e., a foothold on the same broadcast/L2 management segment as PowerFlex Manager (AV:A), not arbitrary internet reachability - and (2) valid low-privileged credentials to the PowerFlex Manager application (PR:L); UI:N means no victim interaction is needed for the SQLi itself, though the downstream script-injection impact requires another operator to view the affected page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.0 (High) reflects High impact across C/I/A combined with adjacent-network attack vector (AV:A), low complexity (AC:L), and low privileges (PR:L) - a credentialed insider or compromised low-tier account on the management network is the threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privileged PowerFlex Manager credentials (e.g., a help-desk or read-only operator account) and a foothold on the storage management VLAN submits a crafted parameter to a vulnerable PowerFlex Manager endpoint; the value is concatenated into a backend SQL query, allowing the attacker to read or modify management database contents and persist an injected payload that is later rendered as script in another operator's browser. No public exploit code is identified, so the attack would require independent vulnerability research against the patched binary.
Remediation Patch available per vendor advisory - apply the PowerFlex Manager update described in Dell DSA-2026-066 (https://www.dell.com/support/kbdoc/en-us/000477538/dsa-2026-066-security-update-for-powerflex-software-multiple-vulnerabilities); confirm the exact fixed build with Dell support because the published CVE record shows the affected version field as a placeholder. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all Dell PowerFlex Manager deployments and restrict network access to this service to trusted networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35065 HIGH
8.8 Jun 17

Missing authentication on a critical function in Dell PowerFlex Manager allows an adjacent-network attacker to invoke pr
CVE-2026-32804 HIGH
8.1 Jun 17

Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain

CVE-2026-49502 HIGH
8.1 Jun 17

Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypas
CVE-2026-35067 HIGH
8.0 Jun 17

Privilege escalation in Dell PowerFlex Manager allows a low-privileged attacker on an adjacent network segment to bypass
CVE-2026-22283 HIGH
7.5 Jun 17

Information disclosure in Dell PowerFlex Manager versions prior to 4.8 stems from inclusion of functionality from an unt

Share

CVE-2026-35069 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy