CVE-2026-23861 - Vulnerability Details

- Cross‑Site Scripting in Dell Unisphere for PowerMax vApp

Description

Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.

Published: 2026-02-17

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Dell Unisphere for PowerMax vApp versions 9.2.4.x contain an Improper Neutralization of Input During Web Page Generation vulnerability that allows a low‑privileged, remote attacker to inject malicious HTML or JavaScript into the application’s output. The injected code executes in the victim’s web browser, potentially leading to information disclosure, session theft, or client‑side request forgery.

Affected Systems

The affected product is Dell Unisphere for PowerMax vApp, specifically version 9.2.4.x. Clients with remote web access and low privileges are at risk, as the vulnerability is triggered through the web interface.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote access to the Unisphere web application and a low‑privileged attacker; the flaw is client‑side, meaning that mitigation relies primarily on patching or disabling the vulnerable functionality.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Dell

Unisphere for PowerMax vApp,

unaffected

Version	Status	Constraints
`N/A`	affected	< 9.2.4.19 or later

No data.

Vendor Product Confidence Versions

Dell

Unisphere For Powermax

92%

Version	Status	Scheme	Platform
`[0,9.2.4.19)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Dell's latest security patch for Unisphere for PowerMax vApp that fixes the XSS flaw.
Restrict the Unisphere web interface to authorized users and trusted networks, enforcing role‑based access control and network segmentation.
Ensure all user input is properly encoded before being rendered in HTML, and apply a strict Content Security Policy to prevent execution of injected scripts.
Monitor application logs for signs of XSS exploitation attempts and review browser console errors for anomalous activity.

Generated by OpenCVE AI on April 17, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities

History

Fri, 17 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Title		Cross‑Site Scripting in Dell Unisphere for PowerMax vApp

Wed, 18 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dell Dell unisphere For Powermax
Vendors & Products		Dell Dell unisphere For Powermax

Tue, 17 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 17 Feb 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.
Weaknesses		CWE-79
References		https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Dell Unisphere For Powermax

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2026-02-17T13:47:23.893Z

Updated: 2026-02-17T14:34:00.591Z

Reserved: 2026-01-16T18:05:07.319Z

Link: CVE-2026-23861

Vulnrichment

Updated: 2026-02-17T14:33:56.292Z

NVD

Status : Deferred

Published: 2026-02-17T14:16:01.773

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23861

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object