Description
Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution.
Published: 2026-05-11
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability involves improper neutralization of formula elements in CSV files uploaded through the administrative UI, classified as CWE-1236. An unauthenticated attacker with remote access could trigger remote execution, potentially compromising system integrity and confidentiality.

Affected Systems

The affected systems are Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0. These deployments are vulnerable when using the default configuration of the UI for CSV uploads.

Risk and Exploitability

The CVSS score of 5.8 indicates a moderate severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, leveraging an unauthenticated session to submit a malicious CSV file via the UI, thereby enabling remote code execution.

Generated by OpenCVE AI on May 11, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell ECS/ObjectScale security update identified in DSA‑2026‑047
  • Disable or restrict the CSV upload feature in the administrative UI for users who do not require it, or enforce strict access controls
  • Implement network segmentation or firewall rules to block unauthorized access to the UI from untrusted networks

Generated by OpenCVE AI on May 11, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Dell elastic Cloud Storage
CPEs cpe:2.3:a:dell:elastic_cloud_storage:*:*:*:*:*:*:*:*
cpe:2.3:a:dell:objectscale:*:*:*:*:*:*:*:*
Vendors & Products Dell elastic Cloud Storage

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell ecs
Dell objectscale
Vendors & Products Dell
Dell ecs
Dell objectscale

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Improper Neutralization of Formula Elements in CSV File Allowing Remote Execution

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution.
Weaknesses CWE-1236
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Dell Ecs Elastic Cloud Storage Objectscale
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-05-12T19:49:11.038Z

Reserved: 2026-04-01T17:04:27.475Z

Link: CVE-2026-35157

cve-icon Vulnrichment

Updated: 2026-05-11T13:59:07.555Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T10:16:13.490

Modified: 2026-05-12T17:19:22.237

Link: CVE-2026-35157

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:17Z

Weaknesses