Description
Dell Avamar Server and Avamar Virtual Edition, versions prior to 19.10 SP1 with CHF338912, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary file delete.
Published: 2026-02-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an Improper Limitation of a Pathname to a Restricted Directory, known as a path traversal flaw. It allows a high-privileged attacker who can reach the Avamar system remotely to delete any file on the appliance's file system, potentially compromising data integrity and availability. This is a direct consequence of the CWE-22 weakness, leading to destructive operations rather than code execution or data exfiltration.

Affected Systems

Dell Avamar Server and Dell Avamar Virtual Edition, versions earlier than 19.10 SP1 with CHF338912, as well as Dell PowerProtect DP Series Appliance (IDPA), are susceptible to this flaw. These products rely on proper pathname limitation to prevent file system traversal.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity, while the EPSS score of less than 1% suggests that the likelihood of exploitation is low at this time. The vulnerability can be used by an attacker who possesses high-privileged remote access to the Avamar appliance to delete arbitrary files, potentially leading to data loss or service disruption. The flaw is not listed in the CISA KEV catalog, implying no publicly known active exploits.

Generated by OpenCVE AI on April 17, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Dell security update DSA-2026-053 to upgrade to 19.10 SP1 or later.
  • Revoke or remove unnecessary high-privileged remote access to the Avamar management interface.
  • Implement network segmentation or firewall rules to restrict external remote connections to the Avamar appliance and continuously monitor logs for unauthorized privileged actions.

Generated by OpenCVE AI on April 17, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Title Path Traversal Allowing Arbitrary File Deletion in Dell Avamar

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell avamar Server
Dell avamar Virtual Edition
Dell powerprotect Dp Series Appliance (idpa)
Vendors & Products Dell
Dell avamar Server
Dell avamar Virtual Edition
Dell powerprotect Dp Series Appliance (idpa)

Tue, 17 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Dell Avamar Server and Avamar Virtual Edition, versions prior to 19.10 SP1 with CHF338912, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary file delete.
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Dell Avamar Server Avamar Virtual Edition Powerprotect Dp Series Appliance (idpa)
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-03-06T15:35:21.083Z

Reserved: 2026-01-09T18:05:08.763Z

Link: CVE-2026-22762

cve-icon Vulnrichment

Updated: 2026-03-06T15:35:15.398Z

cve-icon NVD

Status : Deferred

Published: 2026-02-17T20:22:09.647

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22762

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses