CVE-2026-26360 - Vulnerability Details

- External Control of File Name or Path vulnerability allowing arbitrary file deletion in Dell Unisphere for PowerMax

Description

Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability to delete arbitrary files.

Published: 2026-02-19

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Dell Unisphere for PowerMax version 10.2 contains an External Control of File Name or Path weakness that allows a low‑privileged attacker to delete arbitrary files on the system. This flaw means that an attacker who can reach the Unisphere management interface could specify any file path, resulting in destructive file removal and potential disruption of storage services. The vulnerability is classified as CWE‑73 and is listed with a CVSS score of 8.1, indicating a high potential for damage if exploited.

Affected Systems

The affected products are Dell PowerMax and Dell Unisphere for PowerMax, specifically version 10.2 of Unisphere. The CPE strings identify the general Unisphere application and its EEM component, but no further sub‑version details are provided beyond the 10.2 release channel.

Risk and Exploitability

The severity (CVSS 8.1) reflects the potential for significant disruption, yet the EPSS score falls below 1%, suggesting that, at present, exploitation opportunities are very limited. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, which further reduces evidence of active attacks. The likely attack vector is remote, requiring native access to the Unisphere web interface, and is only feasible for a low‑privileged user who can establish a connection to the management service. If exploited, the attacker could delete critical configuration or data files, jeopardizing system availability and integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Dell

Unisphere for PowerMax

unaffected

Version	Status	Constraints
`N/A`	affected	< 10.3.0.1 or later

Dell

PowerMax

unaffected

Version	Status	Constraints
`N/A`	affected	< 10.3.0.1 or later

Configuration 1 [-]

OR	cpe:2.3:a:dell:unisphere_for_powermax::::::::
	cpe:2.3:a:dell:unisphere_for_powermax:::::eem:::*

No data.

Vendor Product Confidence Versions

Dell

Powermax Os

90%

Version	Status	Scheme	Platform
`[0,10.3.0.1)`	affected	semver	—

Dell

Unisphere For Powermax

100%

Version	Status	Scheme	Platform
`[0,10.3.0.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Dell security update DSA‑2026‑102 for Unisphere for PowerMax
Restrict network access to the Unisphere management interface so that only trusted administrators can log in
Continuously monitor file system integrity to detect unexpected deletions and alert administrators

Generated by OpenCVE AI on April 18, 2026 at 11:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.dell.com/support/kbdoc/en-us/000429268/dsa-2026-102-dell-unisphere-for-powermax-and-powermax-eem-security-update-for-multiple-vulnerabilities

History

Sat, 18 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		External Control of File Name or Path vulnerability allowing arbitrary file deletion in Dell Unisphere for PowerMax

Mon, 23 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Feb 2026 21:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:dell:unisphere_for_powermax:::::::: cpe:2.3:a:dell:unisphere_for_powermax:::::eem:::*

Fri, 20 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dell Dell powermax Os Dell unisphere For Powermax
Vendors & Products		Dell Dell powermax Os Dell unisphere For Powermax

Thu, 19 Feb 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability to delete arbitrary files.
Weaknesses		CWE-73
References		https://www.dell.com/support/kbdoc/en-us/000429268/dsa-2026-102-dell-unisphere-for-powermax-and-powermax-eem-security-update-for-multiple-vulnerabilities
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

Dell Powermax Os Unisphere For Powermax

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2026-02-19T08:41:00.849Z

Updated: 2026-02-23T18:35:11.184Z

Reserved: 2026-02-13T18:05:27.826Z

Link: CVE-2026-26360

Vulnrichment

Updated: 2026-02-23T18:35:05.721Z

NVD

Status : Analyzed

Published: 2026-02-19T09:16:25.737

Modified: 2026-02-20T20:59:06.040

Link: CVE-2026-26360

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses

CWE-73

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object