Description
Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure.
Published: 2026-06-17
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dell PowerFlex Manager has an SQL injection vulnerability (CWE‑89) due to improper neutralization of special characters in SQL commands. A low‑privileged attacker with network access adjacent to the manager can inject malicious queries. Exploitation may expose configuration data, user credentials, or other sensitive information from the PowerFlex database, affecting confidentiality.

Affected Systems

Affected product is Dell PowerFlex Manager, versions earlier than 5.1.0.1. The vulnerability exists in all releases identified by Dell as vulnerable in the security update. No other Dell products or vendor releases are impacted.

Risk and Exploitability

The CVSS score of 3.5 indicates low severity, while the EPSS score is below 1%, suggesting a low likelihood of active exploitation. The vulnerability is not listed in CISA KEV catalog. Attack requires a low‑privileged account on a network segment that can reach PowerFlex Manager, limiting the scope to adjacent hosts and not providing remote code execution or denial of service.

Generated by OpenCVE AI on June 25, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Dell PowerFlex security update that fixes the SQL injection flaw
  • Restrict network access to PowerFlex Manager to trusted administrative interfaces via segmentation or firewall rules, ensuring adjacent hosts cannot reach the manager
  • Monitor database activity logs for abnormal query patterns or repeated failed credential attempts to detect potential exploitation
  • Review application code to use parameterized statements or stored procedures to mitigate future injection vulnerabilities

Generated by OpenCVE AI on June 25, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell powerflex
Vendors & Products Dell
Dell powerflex

Thu, 25 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in Dell PowerFlex Manager Enables Low‑Privilege Information Disclosure

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure. Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure.

Thu, 18 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in Dell PowerFlex Manager Enables Low‑Privilege Information Disclosure

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure.
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-06-25T13:03:58.190Z

Reserved: 2026-04-01T05:04:41.954Z

Link: CVE-2026-35068

cve-icon Vulnrichment

Updated: 2026-06-17T17:58:24.914Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:40:54Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')