Skip to main content

Wyse Management Suite CVE-2026-41120

| EUVDEUVD-2026-39395 CRITICAL
Acceptance of Extraneous Untrusted Data With Trusted Data (CWE-349)
2026-06-25 dell GHSA-5mhj-93x4-vf9f
9.8
CVSS 3.1 · Vendor: dell
Share

Severity by source

Vendor (dell) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable RCE with low complexity and full impact; PR:L chosen to reflect Dell's 'low privileged attacker' wording over the input's PR:N, pending vendor confirmation.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (dell).

CVSS VectorVendor: dell

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:27 vuln.today

DescriptionCVE.org

Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote Code Execution.

AnalysisAI

Remote code execution affects Dell Wyse Management Suite in all versions prior to WMS 5.5 HF1, stemming from the application's acceptance of extraneous untrusted data alongside trusted data (CWE-349). Per the provided CVSS vector (PR:N), a remote unauthenticated attacker could potentially achieve full code execution against the management server, though the Dell description text characterizes the actor as 'low privileged' - a discrepancy worth verifying. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach WMS server over network
Delivery
Craft request mixing untrusted with trusted data
Exploit
Server accepts extraneous untrusted data
Execution
Trigger remote code execution
Impact
Control management server and managed endpoints

Vulnerability AssessmentAI

Exploitation Network reachability to the Wyse Management Suite server is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 base score is 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - network-reachable, low complexity, no privileges, no user interaction, and full confidentiality/integrity/availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Wyse Management Suite server over the network sends a crafted request in which malicious untrusted data is bundled with otherwise-trusted request fields; the server accepts and acts on the extraneous data, resulting in code execution on the management host. No public exploit is currently available, but given AV:N/AC:L the technical barrier is low if an attacker reverse-engineers the patch, potentially yielding control over every managed thin client.
Remediation Vendor-released patch: upgrade to Dell Wyse Management Suite 5.5 HF1 or later, which remediates this vulnerability per Dell advisory DSA-2026-225 (https://www.dell.com/support/kbdoc/en-in/000465356/dsa-2026-225). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Dell Wyse Management Suite deployments and document current versions; review system logs for exploitation attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-22765 HIGH
8.8 Feb 24

Dell Wyse Management Suite versions prior to 5.5 suffer from improper access controls that allow authenticated remote at

CVE-2025-36574 HIGH
8.2 Jun 10

Dell Wyse Management Suite versions prior to 5.2 contain an Absolute Path Traversal vulnerability (CWE-36) that allows u

CVE-2025-29981 HIGH
7.5 Apr 02

Dell Wyse Management Suite, versions prior to WMS 5.1, contains an Exposure of Sensitive Information Through Data Querie

CVE-2025-36575 HIGH
7.5 Jun 10

A information disclosure vulnerability in an Exposure of Sensitive Information (CVSS 7.5). High severity vulnerability r

CVE-2026-49506 HIGH
7.2 Jun 25

Remote code execution in Dell Wyse Management Suite (versions prior to WMS 5.5 HF1) is reachable through a path traversa

CVE-2026-22766 HIGH
7.2 Feb 24

Remote code execution in Dell Wyse Management Suite versions before 5.5 via unrestricted file upload allows high-privile

CVE-2025-36578 MEDIUM
6.8 Jun 10

Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Incorrect Authorization vulnerability. A low privilege

CVE-2025-29982 MEDIUM
6.8 Apr 02

Dell Wyse Management Suite, versions prior to WMS 5.1, contains an Insecure Inherited Permissions vulnerability. Rated m

CVE-2025-36577 MEDIUM
6.1 Jun 10

Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Improper Neutralization of Input During Web Page Gener

CVE-2025-36580 MEDIUM
6.1 Jun 10

Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Improper Neutralization of Input During Web Page Gener

CVE-2026-23858 MEDIUM
5.4 Feb 24

Dell Wyse Management Suite versions before 5.5 contain a cross-site scripting (XSS) vulnerability that allows authentica

CVE-2025-27694 MEDIUM
5.3 Apr 02

Dell Wyse Management Suite, versions prior to WMS 5.1, contains an Insufficient Resource Pool vulnerability. Rated mediu

Share

CVE-2026-41120 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy