CVE-2026-26360
Published: 19 February 2026
Summary
CVE-2026-26360 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Dell Unisphere For Powermax. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by identifying, reporting, and applying the vendor-released security patch for CVE-2026-26360 as detailed in Dell's advisory.
Prevents exploitation of the External Control of File Name or Path vulnerability by validating and sanitizing remote inputs to block arbitrary file path manipulation and traversal attacks.
Enforces approved access authorizations to limit low-privileged remote attackers from deleting arbitrary files even if path manipulation partially succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network-accessible management application vulnerability (CWE-73) directly enables exploitation via T1190 to achieve arbitrary file deletion, mapping to T1485 for disruption of integrity/availability on critical systems.
NVD Description
Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability to delete arbitrary files.
Deeper analysisAI
CVE-2026-26360 is an External Control of File Name or Path vulnerability (CWE-73) affecting Dell Unisphere for PowerMax version 10.2. This flaw allows unauthorized manipulation of file paths, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to its potential for integrity and availability impacts over the network with low complexity and low privileges required.
A low-privileged attacker with remote access can exploit this vulnerability to delete arbitrary files on the affected system. The attack requires no user interaction and maintains an unchanged scope, enabling disruption of critical storage management operations in PowerMax environments without compromising confidentiality.
Dell's security advisory DSA-2026-102, detailed at https://www.dell.com/support/kbdoc/en-us/000429268/dsa-2026-102-dell-unisphere-for-powermax-and-powermax-eem-security-update-for-multiple-vulnerabilities, addresses this and other vulnerabilities in Unisphere for PowerMax and PowerMax EEM with a security update. Practitioners should apply the patch to mitigate exploitation risks.
Details
- CWE(s)