CVE-2026-35071 - Vulnerability Details

- OS Command Injection in Dell PowerScale InsightIQ

Description

Dell PowerScale InsightIQ, versions 6.0.0 through 6.2.0, contains an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.

Published: 2026-05-12

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Dell PowerScale InsightIQ systems that run versions 6.0.0 through 6.2.0 contain an OS Command Injection weakness caused by improper neutralization of special elements used in a command string (CWE‑78). When a high‑privileged user with local access submits data that is incorporated directly into an operating‑system command, the system may execute arbitrary commands chosen by the attacker. This flaw allows the attacker to gain full control over the affected host, enabling data exfiltration, alteration, or denial of service.

Affected Systems

The vulnerability affects Dell’s PowerScale InsightIQ product, specifically all releases from version 6.0.0 up to and including 6.2.0. Any deployment of these versions is potentially susceptible if the exposed interface remains accessible to users with elevated local privileges.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity of impact, though the EPSS score is currently unavailable and the flaw is not listed in the CISA KEV catalog. Exploitation requires a local, high‑privileged account on the InsightIQ system, meaning that the attacker must already have significant access. Once logged in, the attacker can execute arbitrary OS commands, compromising the integrity and availability of the system and potentially enabling further lateral movement within the environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Dell

PowerScale InsightIQ

unaffected

Version	Status	Constraints
`0`	affected	< 6.3.0 or later

Configuration 1 [-]

cpe:2.3:a:dell:insightiq:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Dell

Powerscale Insightiq

100%

Version	Status	Scheme	Platform
`[0,6.3.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Dell’s latest security update for PowerScale InsightIQ covering versions 6.0.0 through 6.2.0 as described in the Dell advisory
If the patch is not yet available, restrict local access to the InsightIQ system to strictly necessary privileged accounts and isolate those services in a dedicated, highly‑secured administrative segment
Audit the InsightIQ configuration for any exposed command‑execution interfaces and remove or harden them; apply strict input validation to prevent future command‑injection vulnerabilities

Generated by OpenCVE AI on May 12, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.dell.com/support/kbdoc/en-us/000463695/dsa-2026-208-security-update-for-dell-powerscale-insightiq-multiple-vulnerabilities

History

Tue, 12 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dell insightiq
CPEs		cpe:2.3:a:dell:insightiq::::::::
Vendors & Products		Dell insightiq

Tue, 12 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Title		OS Command Injection in Dell PowerScale InsightIQ
First Time appeared		Dell Dell powerscale Insightiq
Vendors & Products		Dell Dell powerscale Insightiq

Tue, 12 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 12 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		Dell PowerScale InsightIQ, versions 6.0.0 through 6.2.0, contains an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.
Weaknesses		CWE-78
References		https://www.dell.com/support/kbdoc/en-us/000463695/dsa-2026-208-security-update-for-dell-powerscale-insightiq-multiple-vulnerabilities
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Dell Insightiq Powerscale Insightiq

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2026-05-12T13:25:47.446Z

Updated: 2026-05-12T14:38:04.043Z

Reserved: 2026-04-01T05:04:41.954Z

Link: CVE-2026-35071

Vulnrichment

Updated: 2026-05-12T14:38:00.539Z

NVD

Status : Analyzed

Published: 2026-05-12T14:17:02.240

Modified: 2026-05-12T19:49:35.160

Link: CVE-2026-35071

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T15:30:18Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object