Skip to main content

Dell PowerFlex Manager EUVDEUVD-2026-42868

| CVE-2026-56690 HIGH
SQL Injection (CWE-89)
2026-07-10 security_alert@emc.com GHSA-cmv5-wf6c-fjcg
8.5
CVSS 3.1 · Vendor: emc
Share

Severity by source

Vendor (emc) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
8.5 HIGH

Network-reachable SQLi needing only low-privilege auth (PR:L, AC:L); scope change (S:C) as injected query reaches data beyond the input component; confidentiality-dominant with minor integrity, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (emc).

CVSS VectorVendor: emc

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 13:01 EUVD
Analysis Generated
Jul 10, 2026 - 12:33 vuln.today

DescriptionCVE.org

Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure, Information exposure, and Unauthorized access.

AnalysisAI

SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker to inject crafted SQL commands through the management interface, resulting in information disclosure and unauthorized access to data beyond the attacker's authorized scope. Rated CVSS 8.5 with a scope-changed vector, the flaw is reported by Dell (DSA-2026-066) and carries confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Reach PowerFlex Manager interface
Exploit
Submit crafted SQL injection payload
Execution
Manipulate backend database query
Impact
Exfiltrate unauthorized data and access

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to the PowerFlex Manager management interface plus valid low-privilege authentication (CVSS PR:L) - a completely unauthenticated attacker cannot exploit this per the provided vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, base 8.5) signals a network-reachable, low-complexity attack requiring only low-privilege authentication and no user interaction - a realistic priority for any exposed PowerFlex Manager instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privilege PowerFlex Manager account (or compromised one) sends crafted input through an interface field that feeds a backend SQL query, manipulating the query to return records the account is not authorized to see. Because the scope is changed, the attacker leverages this to read sensitive configuration or credential-adjacent data and achieve unauthorized access to managed resources. …
Remediation Upgrade Dell PowerFlex Manager to version 5.1.0.1 or later, which Dell released as the fix per advisory DSA-2026-066 (https://www.dell.com/support/kbdoc/en-us/000477538/dsa-2026-066-security-update-for-powerflex-software-multiple-vulnerabilities). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all PowerFlex Manager deployments running versions prior to 5.1.0.1; audit which service accounts and user roles have management console access; review audit logs for suspicious SQL queries or unauthorized data access patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-37143 CRITICAL
9.8 Dec 10

Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.

CVE-2026-56688 CRITICAL
9.1 Jul 10

Root-level OS command execution in Dell PowerFlex Manager (versions prior to 5.1.0.1) lets a remote, high-privileged att

CVE-2026-56689 HIGH
7.7 Jul 10

SQL injection in Dell PowerFlex Manager before 5.1.0.1 lets a low-privileged, remotely authenticated user inject crafted

CVE-2024-37144 MEDIUM
6.7 Dec 10

Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.

CVE-2024-47477 MEDIUM
6.5 Jun 17

Dell PowerFlex Manager, versions prior to 4.5.1.1, contain an improper certificate validation vulnerability. Rated mediu

CVE-2025-26483 MEDIUM
6.1 May 22

Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft

CVE-2025-32751 MEDIUM
5.5 May 22

Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-p

CVE-2025-32747 MEDIUM
5.3 May 22

Incorrect Privilege Assignment in Dell PowerFlex Manager version 4.6.2 and earlier (both Appliance and Rack form factors

CVE-2025-32749 MEDIUM
5.3 May 22

Directory listing exposure in Dell PowerFlex Manager versions 4.6.2 and earlier allows an attacker to enumerate director

CVE-2025-36599 MEDIUM
4.3 Jul 09

Dell PowerFlex Manager VM, versions prior to 4.6.2.1, contains an Insertion of Sensitive Information into Log File vulne

CVE-2025-32745 MEDIUM
4.2 May 22

Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker o

CVE-2025-32746 MEDIUM
4.0 May 22

Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentia

Share

EUVD-2026-42868 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy