66
CVEs
4
Critical
31
High
0
KEV
0
PoC
15
Unpatched C/H
69.7%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
4
HIGH
31
MEDIUM
28
LOW
3
Monthly CVE Trend
Affected Products (30)
Powerscale Onefs
78
Emc Powerscale Onefs
60
Latitude 9410 Firmware
57
Latitude 5511 Firmware
56
Latitude 5411 Firmware
56
Latitude 7310 Firmware
55
Embedded Box Pc 5000 Firmware
55
Latitude 7410 Firmware
55
Latitude 7480 Firmware
54
Latitude 5400 Firmware
54
Latitude 5310 Firmware
54
Vostro 3681 Firmware
53
Latitude 7290 Firmware
53
Chengming 3991 Firmware
53
Latitude 5310 2 In 1 Firmware
53
Latitude 9510 Firmware
53
Inspiron 3881 Firmware
53
Chengming 3990 Firmware
53
Precision 3550 Firmware
53
Vostro 3888 Firmware
53
Inspiron 3880 Firmware
53
Optiplex 3080 Firmware
53
Latitude 7390 Firmware
53
Vostro 3881 Firmware
53
Latitude 5410 Firmware
53
Latitude 7490 Firmware
53
Optiplex 7080 Firmware
53
Latitude 5500 Firmware
52
Precision 3440 Firmware
52
Latitude 5510 Firmware
52
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-53481 | Path traversal leading to full system compromise affects Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0 through 8.7, plus the LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches. Per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N), an unauthenticated remote attacker can traverse outside the intended directory to gain unauthorized access and, according to Dell, take complete control of the system. Dell rates this critical (9.8) and its tags note an authentication-bypass characteristic; no public exploit identified at time of analysis and it is not currently in CISA KEV. | CRITICAL | 9.8 | 0.6% | 50 |
|
| CVE-2026-53483 | Improper authentication in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2024 branches) lets an unauthenticated, remote attacker bypass authentication and gain unauthorized access that Dell says can escalate to complete system control. Dell rates it critical (CVSS 9.8, CWE-287). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network-facing, no-privilege attack profile makes it a high-priority patch for backup/data-protection infrastructure. | CRITICAL | 9.8 | 0.6% | 50 |
|
| CVE-2026-41120 | Remote code execution affects Dell Wyse Management Suite in all versions prior to WMS 5.5 HF1, stemming from the application's acceptance of extraneous untrusted data alongside trusted data (CWE-349). Per the provided CVSS vector (PR:N), a remote unauthenticated attacker could potentially achieve full code execution against the management server, though the Dell description text characterizes the actor as 'low privileged' - a discrepancy worth verifying. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. | CRITICAL | 9.8 | 0.3% | 49 |
No patch
|
| CVE-2026-56688 | Root-level OS command execution in Dell PowerFlex Manager (versions prior to 5.1.0.1) lets a remote, high-privileged attacker inject operating-system commands during OS Repository processing, resulting in full appliance compromise. Because PowerFlex Manager orchestrates storage and HCI infrastructure, code execution as root also enables lateral movement into managed nodes. There is no public exploit identified at time of analysis, and Dell has released a fixed build (5.1.0.1) via advisory DSA-2026-066. | CRITICAL | 9.1 | 1.3% | 46 |
|
| CVE-2024-24909 | Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution. | HIGH | 8.8 | 0.4% | 44 |
|
| CVE-2026-54469 | Remote command execution in Dell Unisphere for PowerMax versions 10.3.0.5 and prior allows a low-privileged authenticated user to run arbitrary OS commands with root privileges by abusing unsafe deserialization of untrusted data (CWE-502). Because the CVSS vector is AV:N/AC:L/PR:L, any account with minimal access on the management interface can escalate to full root control of the storage-management appliance. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but the low attack complexity and full CIA impact make it a high-priority patch for storage administrators. | HIGH | 8.8 | 0.4% | 44 |
|
| CVE-2026-35065 | Missing authentication on a critical function in Dell PowerFlex Manager allows an adjacent-network attacker to invoke privileged operations without credentials, yielding code execution, denial of service, information disclosure, tampering, and unauthorized access. No public exploit identified at time of analysis, and the affected version range was not populated in the source advisory placeholder. Dell self-reported the issue under DSA-2026-066. | HIGH | 8.8 | 0.3% | 44 |
No patch
|
| CVE-2026-44272 | SQL injection in Dell Wyse Management Suite (WMS) versions prior to 2605 allows authenticated low-privileged remote attackers to manipulate backend database queries, leading to unauthorized data access and potential integrity or availability impact. The CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability under low attack complexity, though no public exploit identified at time of analysis. The flaw is tagged with 'Authentication Bypass' implications, suggesting the SQLi could be leveraged to escalate beyond the attacker's initial low-privilege context. | HIGH | 8.8 | 0.2% | 44 |
|
| CVE-2026-44271 | Authenticated SQL injection (CWE-89) in Dell Wyse Management Suite (WMS) before version 2605 lets a low-privileged remote user inject crafted SQL into application queries, yielding unauthorized read/write access to the management database with high impact to confidentiality, integrity, and availability. Tracked as EUVD-2026-38345 and disclosed by Dell in advisory DSA-2026-247, it carries CVSS 3.1 8.8 but has no public exploit identified at time of analysis and a low EPSS of 0.24% (15th percentile), with CISA SSVC reporting no known exploitation. | HIGH | 8.8 | 0.2% | 44 |
|
| CVE-2026-56086 | Improper authorization enforcement in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.6, plus LTS branches 8.6.1.0-8.6.1.10, 8.3.1.0-8.3.1.30, and 7.13.1.0-7.13.1.70) allows a low-privileged, remote authenticated attacker to reach resources or actions beyond their assigned role, resulting in unauthorized access. Rated CVSS 8.8 (High) with high confidentiality, integrity, and availability impact and low attack complexity. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the low barrier to exploitation for any existing account makes this a meaningful escalation risk on these backup appliances. | HIGH | 8.8 | 0.3% | 44 |
|
| CVE-2026-56690 | SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker to inject crafted SQL commands through the management interface, resulting in information disclosure and unauthorized access to data beyond the attacker's authorized scope. Rated CVSS 8.5 with a scope-changed vector, the flaw is reported by Dell (DSA-2026-066) and carries confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. | HIGH | 8.5 | 0.2% | 42 |
|
| CVE-2026-32804 | Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain unauthorized access to the management plane, with high impact to integrity and availability of the software-defined storage fabric. Dell's DSA-2026-066 advisory addresses this and other PowerFlex flaws; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Affected version range is not enumerated in the public record, which constrains accurate exposure scoping. | HIGH | 8.1 | 0.2% | 41 |
No patch
|
| CVE-2026-49502 | Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypass authentication controls, resulting in information disclosure, data tampering, and unauthorized access to managed storage infrastructure. The vulnerability carries a CVSS 8.1 rating reflecting high confidentiality and integrity impact, though no public exploit identified at time of analysis and EPSS scores it at 0.19% probability. SSVC scoring from CISA indicates no observed exploitation and partial technical impact. | HIGH | 8.1 | 0.2% | 41 |
No patch
|
| CVE-2026-35069 | SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL commands that the application processes against its backend database, leading to script injection and potential compromise of confidentiality, integrity, and availability. The flaw is reported by Dell with no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile). | HIGH | 8.0 | 0.2% | 40 |
No patch
|
| CVE-2026-35067 | Privilege escalation in Dell PowerFlex Manager allows a low-privileged attacker on an adjacent network segment to bypass access controls and gain unauthorized elevated access to the management plane. The CVSS 8.0 (High) score reflects significant confidentiality, integrity, and availability impact, though there is no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.13% (3rd percentile). CISA SSVC classifies exploitation as 'none' with non-automatable attack characteristics, indicating no observed real-world abuse despite the meaningful technical severity. | HIGH | 8.0 | 0.1% | 40 |
No patch
|