Skip to main content

PowerProtect Data Domain CVE-2026-41124

| EUVDEUVD-2026-41534 LOW
Path Traversal (CWE-22)
2026-07-03 dell GHSA-pq7x-9m82-559w
2.3
CVSS 3.1 · Vendor: dell

Severity by source

Vendor (dell) PRIMARY
2.3 LOW
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
2.3 LOW

Local-only access vector and high-privilege prerequisite are confirmed by description; confidentiality-only low impact reflects read-only path traversal with no write or availability effect.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (dell).

CVSS VectorVendor: dell

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 03, 2026 - 14:01 EUVD
Analysis Generated
Jul 03, 2026 - 12:51 vuln.today

DescriptionCVE.org

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Improper limitation of a pathname to a restricted directory ('path traversal') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.

AnalysisAI

Path traversal in Dell PowerProtect Data Domain allows a locally authenticated high-privileged attacker to read files outside restricted directories, resulting in information disclosure. Affected deployments span multiple release trains - standard releases 7.7.1.0 through 8.6, LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege local credentials
Delivery
Authenticate to Data Domain appliance via SSH or console
Exploit
Craft path traversal payload with '../' sequences
Execution
Submit traversal request to vulnerable file-handling component
Impact
Read sensitive files outside restricted directory boundary

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions: the attacker must hold high-privileged credentials on the Dell PowerProtect Data Domain appliance (CVSS PR:H - administrative or root-level access), and must have local system access (CVSS AV:L - physical console, SSH session, or equivalent logical local access). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 2.3 (Low) with vector AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N is internally consistent with the description and accurately reflects a low-priority security posture issue rather than a critical exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A system administrator or other high-privileged local user with SSH or console access to a Dell PowerProtect Data Domain appliance submits a crafted file path request containing directory traversal sequences (e.g., '../../etc/') to a vulnerable application component. The component fails to canonicalize and validate the path against the intended restricted root, allowing the attacker to read sensitive files - such as configuration files or credential stores - outside the permitted directory. …
Remediation Apply the vendor-released updates documented in Dell Security Advisory DSA-2026-278 at https://www.dell.com/support/kbdoc/en-us/000481268/dsa-2026-278-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-29987 HIGH
8.8 Apr 03

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficie

CVE-2026-49814 HIGH
7.2 Jul 03

Arbitrary OS command execution in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025

CVE-2026-49815 HIGH
7.2 Jul 03

OS command injection in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2

CVE-2026-53478 HIGH
7.2 Jul 03

Authenticated OS command injection in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus LTS2026 8.6.1.0-

CVE-2026-49813 MEDIUM
6.7 Jul 03

OS command injection in Dell PowerProtect Data Domain across four supported release tracks allows a high-privileged loca

CVE-2026-46463 MEDIUM
6.5 Jul 03

Integer overflow in Dell PowerProtect Data Domain across multiple release trains (main, LTS2024, LTS2025, LTS2026) expos

CVE-2026-46465 MEDIUM
5.5 Jul 03

Format string exploitation in Dell PowerProtect Data Domain enables remote high-privileged attackers to disclose memory

CVE-2026-46464 MEDIUM
4.9 Jul 03

Symlink-following vulnerability in Dell PowerProtect Data Domain allows a high-privileged remote attacker to traverse ou

CVE-2026-44268 MEDIUM
4.4 Jul 03

Incorrect permission assignment on a critical resource in Dell PowerProtect Data Domain exposes sensitive data to high-p

CVE-2026-44269 MEDIUM
4.4 Jul 03

Link-following exploitation in Dell PowerProtect Data Domain enables a high-privileged local attacker to read files outs

CVE-2026-46466 LOW
2.7 Jul 03

Dell PowerProtect Data Domain's handling of a less-trusted data source allows a remote, high-privileged attacker to perf

Share

CVE-2026-41124 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy