26
CVEs
1
Critical
5
High
0
KEV
0
PoC
0
Unpatched C/H
92.3%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
1
HIGH
5
MEDIUM
15
LOW
2
Monthly CVE Trend
Affected Products (30)
Powerscale Onefs
21
Unity Operating Environment
19
Linux Kernel
15
Smartfabric Os10
14
Powerprotect Data Manager
13
Wyse Management Suite
13
Data Domain Operating System
10
Cloudlink
8
Powerflex Manager
8
Powerflex Manager Rack
7
Alienware Command Center
7
Thinos
7
Powerflex Manager Appliance
7
Supportassist Os Recovery
5
Ubuntu
5
Objectscale
5
Elastic Cloud Storage
5
Storage Manager
5
Secure Connect Gateway
4
Networker
4
Unisphere For Powermax
4
Precision 3490 Firmware
3
Precision 3590 Firmware
3
Recoverpoint For Virtual Machines
3
Open Redirect
3
Latitude 7650 Firmware
3
Latitude 7350 Firmware
3
Latitude 5550 Firmware
3
Latitude 5350 Firmware
3
Latitude 7350 Detachable Firmware
3
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-40636 | Hard-coded credentials in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale <4.3.0.0 allow unauthenticated filesystem access. Despite CVSS 9.8 (network vector), the description explicitly states 'local access' is required, creating a critical discrepancy between scoring and actual attack surface. Attackers with local system access can leverage embedded credentials to gain unauthorized filesystem access. No active exploitation (CISA KEV) or public exploit confirmed at time of analysis. Dell advisory DSA-2026-047 addresses the vulnerability. | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2026-35071 | OS command injection in Dell PowerScale InsightIQ 6.0.0 through 6.2.0 allows high-privileged local administrators to execute arbitrary system commands with elevated privileges, achieving container escape (scope change) on the storage cluster management platform. Dell published security advisory DSA-2026-208 addressing this vulnerability. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation at time of analysis. | HIGH | 8.2 | 0.0% | 41 |
|
| CVE-2026-32658 | Missing authorization in Dell Automation Platform before 2.0.0.0 allows authenticated remote attackers to elevate privileges to high-integrity access. The vulnerability requires low-level authentication and user interaction but enables complete compromise of confidentiality, integrity, and availability. CVSS 8.0 (High) reflects the significant impact despite the authentication prerequisite. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though Dell has released patches per DSA-2026-193. | HIGH | 8.0 | 0.0% | 40 |
|
| CVE-2026-42997 | Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limited Keystone tokens or molds storage credentials by manipulating import operations. Attackers with low-privileged Ironic access can redirect these credentials to attacker-controlled endpoints, gaining unauthorized access to all OpenStack services that Ironic is authorized for. Fixed in versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. CVSS 7.7 with scope change (S:C) reflects the privilege escalation from Ironic-only access to full OpenStack service access. | HIGH | 7.7 | 0.0% | 39 |
|
| CVE-2025-32750 | Information disclosure in Dell PowerFlex Manager (Appliance, Rack, and core Manager) versions 4.6.2 and earlier allows unauthenticated remote attackers to enumerate server contents through exposed directory listings. The flaw carries a CVSS 7.5 (high) rating driven entirely by confidentiality impact and requires no privileges or user interaction, though no public exploit identified at time of analysis and the issue is not on CISA KEV. | HIGH | 7.5 | 0.1% | 38 |
|
| CVE-2026-35155 | Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exist | HIGH | 7.1 | 0.0% | 36 |
|
| CVE-2026-41119 | Improper SSL/TLS certificate validation in Dell Live Optics Windows and Personal Edition collectors allows remote attackers to intercept and modify data transmitted by the collector. The vulnerability requires network positioning (man-in-the-middle) and user interaction, making exploitation moderately complex but enabling complete compromise of data confidentiality and integrity for collector communications. Dell has released patches in version 27.1.10.1 to address the certificate validation flaw. | MEDIUM | 6.8 | 0.0% | 34 |
|
| CVE-2026-26946 | Improper privilege management in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale prior to 4.3.0.0 allows high-privileged local attackers to escalate privileges and gain full system access, affecting confidentiality, integrity, and availability. No public exploit code or active exploitation has been identified at the time of analysis. | MEDIUM | 6.7 | 0.0% | 34 |
|
| CVE-2026-40638 | Local privilege escalation in Dell PowerScale InsightIQ versions 5.0.0 through 6.2.0 allows high-privileged attackers to execute code with unnecessary elevated privileges, potentially escalating to full system compromise. The vulnerability requires existing local access and high privilege level on the affected system; no public exploit has been identified at time of analysis. | MEDIUM | 6.7 | 0.0% | 34 |
|
| CVE-2026-35070 | Command injection in Dell SmartFabric Storage Software versions prior to 1.4.5 enables a high-privileged local attacker to gain unauthorized read and write access to the underlying filesystem. Exploitation requires local system presence and high-level privileges, with the CVSS vector (AV:L/AC:H/PR:H) indicating a constrained threat surface despite the high confidentiality, integrity, and availability impact scores. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV. | MEDIUM | 6.4 | 0.0% | 32 |
|
| CVE-2026-27105 | Dell/Alienware Purchased Apps, versions prior to 1.1.31.0, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A | MEDIUM | 6.3 | 0.0% | 32 |
|
| CVE-2025-26483 | Open redirect vulnerability in Dell PowerFlex Manager 4.6.2 and prior enables unauthenticated remote attackers to craft malicious application URLs that silently redirect targeted users to arbitrary attacker-controlled web destinations. Exploitation requires user interaction (CVSS UI:R) - a victim must follow a specially crafted link - but no authentication or special privileges are needed on the attacker's side. The primary risk is phishing: because the initial URL appears to point at a legitimate Dell infrastructure management portal, users are more likely to trust and follow it, making credential theft or sensitive data disclosure against PowerFlex administrators a realistic outcome. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis. | MEDIUM | 6.1 | 0.0% | 30 |
|
| CVE-2026-35157 | Remote code execution in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale prior to 4.3.0.0 via improper neutralization of formula elements in CSV files processed by the UI. Unauthenticated remote attackers can exploit this vulnerability with user interaction (formula injection attack) to achieve remote execution with limited confidentiality, integrity, and availability impact. No active exploitation confirmed; exploitation requires victim interaction with malicious CSV content. | MEDIUM | 5.8 | 0.1% | 29 |
|
| CVE-2025-43992 | Authentication bypass in Dell ECS Geo replication (versions 3.8.1.0-3.8.1.7) and Dell ObjectScale (prior to 4.3.0.0) allows unauthenticated remote attackers to access data in transit by exploiting assumed-immutable data assumptions. The vulnerability affects the replication authentication mechanism, enabling unauthorized data exposure without requiring valid credentials or user interaction. | MEDIUM | 5.6 | 0.1% | 28 |
|
| CVE-2025-32751 | Dell PowerFlex Manager versions 4.6.2 and earlier improperly store sensitive information in a manner accessible to low-privileged local users, resulting in unauthorized disclosure of confidential data with high confidentiality impact per CVSS. Affected deployments span both the Appliance and Rack form factors of the platform. No public exploit code has been identified at time of analysis and CISA KEV does not list this vulnerability, though the CWE-922 root cause and the 'Authentication Bypass' tag suggest the exposed data may include credentials or tokens that could enable downstream privilege escalation or lateral movement. | MEDIUM | 5.5 | 0.0% | 28 |
|