CVE-2026-26357

Vulnerability

Overview

CVE-2026-26357 is a stored cross-site scripting (XSS) vulnerability affecting Dell Unisphere for PowerMax, version 9.2.4.x. The root cause lies in improper neutralization of user-supplied input during web page generation. A low-privileged attacker with remote access can inject arbitrary HTML or JavaScript that, when rendered by an authenticated victim's browser, executes in the context of the vulnerable Unisphere application. [1]

Attack

Scenario

An attacker authenticated with low privileges can craft a malicious payload and submit it through an input field or other user-controllable parameter. No further privileges are required beyond the initial low-level access. When a privileged user (or any victim) browses to the affected page, the injected script executes in their browser session. This requires no specific interaction beyond normal use of the web interface. [1]

Impact

Successful exploitation allows the attacker to steal session cookies, exfiltrate sensitive data, or perform client-side request forgery (CSRF) on behalf of the victim. Since the attack executes within the victim's authenticated session, it can bypass normal access controls and lead to unauthorized actions and information disclosure. [1]

Mitigation

Dell has released a security advisory (DSA-2025-425) as part of a broader update that addresses this vulnerability along with numerous other CVEs. Users are strongly encouraged to update their Dell Unisphere for PowerMax installations to the latest patched version to mitigate this risk. [1]