CVE-2026-26943
Received
Received - Intake
OS Command Injection in Dell PowerProtect Data Domain Allows Root Access
Publication date: 2026-04-20
Last updated on: 2026-04-28
Assigner: Dell
Description
Description
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dell | powerprotect_dp_series_appliance | to 2.7.9 (exc) |
| dell | data_domain_operating_system | From 7.14.0.0 (inc) to 8.3.1.30 (exc) |
| dell | data_domain_operating_system | From 7.7.1.0 (inc) to 7.13.1.70 (exc) |
| dell | data_domain_operating_system | From 8.4.0.0 (inc) to 8.6.1.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
