Description
Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.
Published: 2026-02-17
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client-side cross‑site scripting enabling session theft, data disclosure, and request forgery
Action: Patch Immediately
AI Analysis

Impact

This vulnerability is a cross‑site scripting flaw in the web interface of Dell Unisphere for PowerMax 9.2.4.x and its Virtual Appliance 9.2.4.x. An attacker with low privileges but remote access to the web UI can inject malicious scripts that will execute in the victim’s browser while they are logged into the application. The impact is client‑side code execution, allowing attackers to steal session cookies, expose sensitive data, or forge client‑side requests on the victim’s behalf.

Affected Systems

Impact is limited to Dell Unisphere for PowerMax 9.2.4.18 and Dell Unisphere for PowerMax Virtual Appliance 9.2.4.17. These are the only versions explicitly identified as vulnerable in the advisory.

Risk and Exploitability

The CVSS base score of 5.4 indicates medium severity. The EPSS score of <1% suggests a low probability of exploitation under current conditions and the vulnerability is not listed in the CISA KEV catalog. Attackers would need network access to the Unisphere web interface and a user who visits a crafted page; a successful attack would be confined to the victim’s browser and would not break out of the sandbox to affect the host system.

Generated by OpenCVE AI on April 16, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the Dell Unisphere for PowerMax security update that addresses the XSS flaw (v9.2.4.18 for PowerMax and v9.2.4.17 for the Virtual Appliance).
  • Restart the Unisphere services after applying the update so that the web application loads the patched code.
  • If an immediate update is not possible, restrict external access to the Unisphere web UI by applying firewall rules or VPN‑only access to limit exposure to trusted users.
  • Deploy a web application firewall or enable browser‑side XSS protections to mitigate risk until the official patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Title Cross‑site Scripting Vulnerability in Dell Unisphere for PowerMax Web Interface

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell unisphere For Powermax
Dell unisphere For Powermax Virtual Appliance
Vendors & Products Dell
Dell unisphere For Powermax
Dell unisphere For Powermax Virtual Appliance

Tue, 17 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Dell Unisphere For Powermax Unisphere For Powermax Virtual Appliance
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-03-06T18:57:26.524Z

Reserved: 2026-02-13T18:05:27.825Z

Link: CVE-2026-26357

cve-icon Vulnrichment

Updated: 2026-03-06T18:57:21.592Z

cve-icon NVD

Status : Deferred

Published: 2026-02-17T20:22:10.437

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses