CVE-2026-28263 - Vulnerability Details

- Cross‑Site Scripting in Dell PowerProtect Data Domain DD OS

Description

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a cross-site Scripting vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection.

Published: 2026-04-17

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Dell PowerProtect Data Domain versions 7.7.1.0 through 8.5, LTS2025 8.3.1.0 through 8.3.1.20, and LTS2024 7.13.1.0 through 7.13.1.50 contain a cross‑site scripting vulnerability that allows a high‑privileged attacker with remote access to inject and execute arbitrary scripts. The flaw results from improper sanitization of user‑controlled input, classified as CWE‑79. Attackers could use the injected script to deface web interfaces or exfiltrate session data, compromising confidentiality and integrity of the management console.

Affected Systems

Affected systems include Dell PowerProtect Data Domain devices running the Data Domain Operating System (DD OS) Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, and LTS2024 release versions 7.13.1.0 through 7.13.1.50. All variants of the product that match these version ranges are vulnerable.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium impact, while the EPSS score is not available, so the likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attacker must have high‑privilege and remote access to the device, making the attack vector remote but limited to privileged users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Dell

PowerProtect Data Domain

unaffected

Version	Status	Constraints
`0`	affected	< 8.6.0.0 or later
`0`	affected	< 8.3.1.20 or later
`0`	affected	< 7.13.1.50 or later
`0`	affected	< 2.7.9 with DD OS 8.3.1.30

No data.

Vendor Product Confidence Versions

Dell

Powerprotect Data Domain

100%

Version	Status	Scheme	Platform
`[0,8.6.0.0)`	affected	generic	—
`[0,8.3.1.20)`	affected	generic	—
`[0,7.13.1.50)`	affected	generic	—
`[0,2.7.9 with DD OS 8.3.1.30)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Download and install the Dell PowerProtect Data Domain security update from Dell’s support site (https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities).
Upgrade the DD OS to a version that includes the fix; any release above the affected ranges is safe.
If an upgrade is not immediately possible, restrict network access to the Data Domain device and enforce least privilege for remote users to prevent high‑privileged attackers from exploiting the flaw.

Generated by OpenCVE AI on April 18, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities

History

Sat, 18 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
Title		Cross‑Site Scripting in Dell PowerProtect Data Domain DD OS

Sat, 18 Apr 2026 03:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 17 Apr 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dell Dell powerprotect Data Domain
Vendors & Products		Dell Dell powerprotect Data Domain

Fri, 17 Apr 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description		Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain a cross-site Scripting vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection.
Weaknesses		CWE-79
References		https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

Dell Powerprotect Data Domain

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2026-04-17T11:44:12.943Z

Updated: 2026-04-18T02:57:02.616Z

Reserved: 2026-02-25T18:04:25.462Z

Link: CVE-2026-28263

Vulnrichment

Updated: 2026-04-18T02:56:59.062Z

NVD

Status : Awaiting Analysis

Published: 2026-04-17T12:16:32.473

Modified: 2026-04-17T15:07:18.050

Link: CVE-2026-28263

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object