Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable management API requires authenticated low-privileged session (PR:L); AC:H reflects unspecified exploitation prerequisites; C:H only as XXE enables server-side file read with no write or availability impact.
Primary rating from Vendor (emc).
CVSS VectorVendor: emc
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
AnalysisAI
Unauthorized file disclosure in Dell Unisphere for PowerMax 10.3.0.5 and prior is achievable by a remote low-privileged attacker via an XML External Entity (XXE) injection flaw (CWE-611). By submitting crafted XML containing external entity declarations to a vulnerable parsing endpoint, an authenticated attacker can cause the server to read and return sensitive local files or initiate server-side requests, resulting in High confidentiality impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid low-privileged authenticated account on the Unisphere for PowerMax management interface, as confirmed by PR:L in the CVSS vector - unauthenticated remote attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.3 (Medium) accurately reflects the meaningful constraints on exploitation: High Attack Complexity (AC:H) and Low Privileges Required (PR:L) substantially reduce real-world exploitability compared to the High confidentiality impact (C:H) in isolation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged Unisphere for PowerMax account - whether through credential theft, insider access, or a previously compromised service account - submits a crafted XML request to a vulnerable management API endpoint with an embedded external entity declaration referencing a local file path such as a credentials store or configuration file. The Unisphere XML parser resolves the entity server-side and returns the file contents in the API response, exposing sensitive data the attacker can use for further access. … |
| Remediation | Consult Dell advisory DSA-2026-272 at https://www.dell.com/support/kbdoc/en-us/000483543/ to obtain and apply the vendor-released patch addressing this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unisphere For Powermax
View allRemote command execution in Dell Unisphere for PowerMax versions 10.3.0.5 and prior allows a low-privileged authenticate
Dell Unisphere for PowerMax, version(s) 10.2.0.x, contain(s) an Improper Neutralization of Special Elements used in an S
Dell Unisphere for PowerMax 10.2 lacks proper authorization checks, allowing authenticated remote attackers to bypass ac
Dell Unisphere for PowerMax 10.2 contains a path traversal vulnerability that allows authenticated remote attackers to o
Dell Unisphere for PowerMax versions 10.2 suffer from a path traversal vulnerability (CWE-73) that allows authenticated
Dell Unisphere for PowerMax 10.2 contains a relative path traversal flaw that allows authenticated remote attackers to m
Unisphere for PowerMax versions before 9.2.3.15 contain a privilege escalation vulnerability. Rated high severity (CVSS
Dell Unisphere for PowerMax versions prior to 9.2.1.6 contain an Authorization Bypass Vulnerability. Rated high severity
Unisphere For Powermax versions up to 9.2.4.18 is affected by improper restriction of xml external entity reference (CVS
Path traversal in Dell Unisphere for PowerMax 10.3.0.5 and prior exposes arbitrary files on the underlying server to rem
Dell Unisphere for PowerMax 10.2 contains a file path control vulnerability that allows authenticated remote attackers t
Dell Unisphere for PowerMax, version(s) prior to 10.2.0.9 and PowerMax version(s) prior to PowerMax 9.2.4.15, contain an
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42875
GHSA-rhg3-7wm6-r85w