Powerflex
Monthly
SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL commands that the application processes against its backend database, leading to script injection and potential compromise of confidentiality, integrity, and availability. The flaw is reported by Dell with no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).
SQL injection in Dell PowerFlex Manager exposes database contents to low-privileged adjacent-network attackers via insufficiently sanitized SQL command input. The vulnerability requires both network adjacency and existing low-level credentials, limiting its reach considerably from an opportunistic threat standpoint. No active exploitation has been confirmed by CISA KEV, and no public exploit code is known at time of analysis; the CVSS score of 3.5 (Low) reflects the constrained attack surface.
Improper access control in Dell PowerFlex Manager allows a low-privileged remote attacker to trigger a denial-of-service condition and tamper with integrity-sensitive operations against the software-defined storage management plane. Dell disclosed the issue in advisory DSA-2026-066, and at the time of analysis no public exploit has been identified and the CVE is not on the CISA KEV list.
Privilege escalation in Dell PowerFlex Manager allows a low-privileged attacker on an adjacent network segment to bypass access controls and gain unauthorized elevated access to the management plane. The CVSS 8.0 (High) score reflects significant confidentiality, integrity, and availability impact, though there is no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.13% (3rd percentile). CISA SSVC classifies exploitation as 'none' with non-automatable attack characteristics, indicating no observed real-world abuse despite the meaningful technical severity.
Dell PowerFlex Manager's improper access control (CWE-284) permits a remote, low-privileged attacker to cause a denial of service condition against the management platform. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the attack is network-reachable with minimal complexity once credentials are obtained, and is limited in scope to availability degradation (A:L). No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Missing authentication on a critical function in Dell PowerFlex Manager allows an adjacent-network attacker to invoke privileged operations without credentials, yielding code execution, denial of service, information disclosure, tampering, and unauthorized access. No public exploit identified at time of analysis, and the affected version range was not populated in the source advisory placeholder. Dell self-reported the issue under DSA-2026-066.
Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain unauthorized access to the management plane, with high impact to integrity and availability of the software-defined storage fabric. Dell's DSA-2026-066 advisory addresses this and other PowerFlex flaws; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Affected version range is not enumerated in the public record, which constrains accurate exposure scoping.
Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypass authentication controls, resulting in information disclosure, data tampering, and unauthorized access to managed storage infrastructure. The vulnerability carries a CVSS 8.1 rating reflecting high confidentiality and integrity impact, though no public exploit identified at time of analysis and EPSS scores it at 0.19% probability. SSVC scoring from CISA indicates no observed exploitation and partial technical impact.
Information disclosure in Dell PowerFlex Manager versions prior to 4.8 stems from inclusion of functionality from an untrusted control sphere (CWE-829), allowing remote attackers to obtain sensitive data when a user is enticed into interacting with attacker-controlled content. Dell rates the issue at CVSS 7.5 with high attack complexity and required user interaction, and no public exploit identified at time of analysis.
Broken or risky cryptographic algorithm use in Dell PowerFlex Manager 4.6.0.1 exposes network-accessible infrastructure management communications to potential interception and modification. Remote unauthenticated attackers who achieve the requisite network positioning - consistent with the CVSS AC:H rating - could exploit weak or deprecated cryptographic primitives to partially disclose sensitive management data (C:L) or tamper with communications in transit (I:L). Dell has published advisory DSA-2026-066 under the multi-CVE release DSA-2026-066; no public exploit code and no active exploitation (CISA KEV absent) have been identified at time of analysis.
SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL commands that the application processes against its backend database, leading to script injection and potential compromise of confidentiality, integrity, and availability. The flaw is reported by Dell with no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).
SQL injection in Dell PowerFlex Manager exposes database contents to low-privileged adjacent-network attackers via insufficiently sanitized SQL command input. The vulnerability requires both network adjacency and existing low-level credentials, limiting its reach considerably from an opportunistic threat standpoint. No active exploitation has been confirmed by CISA KEV, and no public exploit code is known at time of analysis; the CVSS score of 3.5 (Low) reflects the constrained attack surface.
Improper access control in Dell PowerFlex Manager allows a low-privileged remote attacker to trigger a denial-of-service condition and tamper with integrity-sensitive operations against the software-defined storage management plane. Dell disclosed the issue in advisory DSA-2026-066, and at the time of analysis no public exploit has been identified and the CVE is not on the CISA KEV list.
Privilege escalation in Dell PowerFlex Manager allows a low-privileged attacker on an adjacent network segment to bypass access controls and gain unauthorized elevated access to the management plane. The CVSS 8.0 (High) score reflects significant confidentiality, integrity, and availability impact, though there is no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.13% (3rd percentile). CISA SSVC classifies exploitation as 'none' with non-automatable attack characteristics, indicating no observed real-world abuse despite the meaningful technical severity.
Dell PowerFlex Manager's improper access control (CWE-284) permits a remote, low-privileged attacker to cause a denial of service condition against the management platform. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the attack is network-reachable with minimal complexity once credentials are obtained, and is limited in scope to availability degradation (A:L). No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Missing authentication on a critical function in Dell PowerFlex Manager allows an adjacent-network attacker to invoke privileged operations without credentials, yielding code execution, denial of service, information disclosure, tampering, and unauthorized access. No public exploit identified at time of analysis, and the affected version range was not populated in the source advisory placeholder. Dell self-reported the issue under DSA-2026-066.
Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain unauthorized access to the management plane, with high impact to integrity and availability of the software-defined storage fabric. Dell's DSA-2026-066 advisory addresses this and other PowerFlex flaws; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Affected version range is not enumerated in the public record, which constrains accurate exposure scoping.
Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypass authentication controls, resulting in information disclosure, data tampering, and unauthorized access to managed storage infrastructure. The vulnerability carries a CVSS 8.1 rating reflecting high confidentiality and integrity impact, though no public exploit identified at time of analysis and EPSS scores it at 0.19% probability. SSVC scoring from CISA indicates no observed exploitation and partial technical impact.
Information disclosure in Dell PowerFlex Manager versions prior to 4.8 stems from inclusion of functionality from an untrusted control sphere (CWE-829), allowing remote attackers to obtain sensitive data when a user is enticed into interacting with attacker-controlled content. Dell rates the issue at CVSS 7.5 with high attack complexity and required user interaction, and no public exploit identified at time of analysis.
Broken or risky cryptographic algorithm use in Dell PowerFlex Manager 4.6.0.1 exposes network-accessible infrastructure management communications to potential interception and modification. Remote unauthenticated attackers who achieve the requisite network positioning - consistent with the CVSS AC:H rating - could exploit weak or deprecated cryptographic primitives to partially disclose sensitive management data (C:L) or tamper with communications in transit (I:L). Dell has published advisory DSA-2026-066 under the multi-CVE release DSA-2026-066; no public exploit code and no active exploitation (CISA KEV absent) have been identified at time of analysis.