CVE-2026-22266

Medium

Published: 19 February 2026

Published

19 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0002 6.1th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22266 is a medium-severity Improper Neutralization of Expression/Command Delimiters (CWE-146) vulnerability in Dell Powerprotect Data Manager. Its CVSS base score is 4.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct mapping to exploitation of a vulnerable public-facing REST API allowing bypass of source verification protections.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.

Deeper analysisAI

CVE-2026-22266 is an Improper Verification of Source of a Communication Channel vulnerability (CWE-146) affecting the REST API in Dell PowerProtect Data Manager versions prior to 19.22. This flaw allows inadequate validation of communication channel origins, potentially enabling unauthorized actions within the application's security boundaries. The vulnerability received a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L), classifying it as medium severity due to its network accessibility and low complexity, though requiring high privileges.

A high-privileged attacker with remote access can exploit this vulnerability to bypass protection mechanisms. Exploitation does not require user interaction and maintains an unchanged impact scope, potentially resulting in low-level impacts to confidentiality, integrity, and availability, such as limited unauthorized data access, modification, or disruption within the affected component.

Dell's security advisory DSA-2026-046, available at https://www.dell.com/support/kbdoc/en-us/000429778/dsa-2026-046-security-update-for-dell-powerprotect-data-manager-multiple-vulnerabilities, addresses this and other vulnerabilities in PowerProtect Data Manager with a security update to version 19.22 or later. Security practitioners should review the advisory for patching instructions and apply updates promptly to mitigate risks.

Details

CWE(s): CWE-146

Affected Products

dell

powerprotect data manager

≤ 19.22

CVEs Like This One

CVE-2026-22267Same product: Dell Powerprotect Data Manager

CVE-2026-26944Same vendor: Dell

CVE-2025-26336Same vendor: Dell

CVE-2025-43995Same vendor: Dell

CVE-2025-22475Same vendor: Dell

CVE-2025-43728Same vendor: Dell

CVE-2026-27101Same vendor: Dell

CVE-2024-49601Same vendor: Dell

CVE-2025-36604Same vendor: Dell

CVE-2026-26354Same vendor: Dell

References

https://www.dell.com/support/kbdoc/en-us/000429778/dsa-2026-046-security-update-for-dell-powerprotect-data-manager-multiple-vulnerabilities
Vendor Advisory · security_alert@emc.com