Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Remote-reachable but requires already-high cluster/storage privileges (PR:H) and non-trivial preconditions (AC:H); injected OS command yields full C/I/A impact with scope change beyond the driver (S:C).
Primary rating from Vendor (dell).
CVSS VectorVendor: dell
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Dell Dell Container Storage Modules, version(s) csi-powerstore v2.16.0, csi-unity v2.16.0, csi-powerflex v2.16.0, csi-powermax v2.16.0, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution.
AnalysisAI
OS command injection in Dell Container Storage Modules (CSM) version 2.16.0 - spanning the csi-powerstore, csi-unity, csi-powerflex, and csi-powermax CSI drivers - lets a remote, high-privileged attacker inject and execute arbitrary operating-system commands (CWE-78). Successful exploitation yields full confidentiality, integrity, and availability impact with a scope change, meaning command execution can reach beyond the vulnerable component into the surrounding host or cluster. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold high privileges (CVSS PR:H) - a trusted storage/cluster administrator role or an equivalently privileged, compromised service account able to interact with the CSM CSI controllers (csi-powerstore, csi-unity, csi-powerflex, or csi-powermax at v2.16.0). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed and point to a high-impact but high-barrier issue rather than a mass-exploitation threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already obtained high-privileged access to the cluster's storage-management plane (for example, a compromised storage-admin service account token or an insider with CSM controller permissions) submits a crafted request containing shell metacharacters in a field the CSI driver passes to an OS command. Because input is not neutralized (CWE-78), the injected command executes in the driver/controller context; the scope-change (S:C) means that execution can affect the underlying host or other cluster components beyond the driver. … |
| Remediation | Patch available per vendor advisory: upgrade Dell Container Storage Modules above the affected 2.16.0 release per Dell DSA-2026-259 (https://www.dell.com/support/kbdoc/en-za/000478300/dsa-2026-259-security-update-for-dell-container-storage-modules-multiple-vulnerabilities); the input does not include a confirmed fixed version number, so consult the advisory for the exact patched release for each driver (csi-powerstore, csi-unity, csi-powerflex, csi-powermax) and bump the corresponding Helm chart/operator image tags. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all deployments running CSM 2.16.0 across infrastructure; restrict administrative access to storage driver APIs; enable command-injection detection in container runtime or host-level security tools. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Container Storage Modules
View allDell Container Storage Modules 1.2 contains an OS Command Injection in goiscsi and gobrick libraries. Rated high severit
Dell Container Storage Modules 1.2 contains an Improper Limitation of a Pathname to a Restricted Directory in goiscsi an
Dell Container Storage Modules 1.2 contains an OS command injection in goiscsi and gobrick libraries. Rated high severit
Dell Container Storage Modules 1.2 contains a path traversal vulnerability in goiscsi and gobrick libraries. Rated mediu
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39652
GHSA-6p63-373v-wp23