CVE-2026-35157
Received
Received - Intake
Improper CSV Formula Neutralization in Dell ECS and ObjectScale
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: Dell
Description
Description
Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dell | ecs | From 3.8.1.0 (inc) to 3.8.1.7 (inc) |
| dell | objectscale | to 4.3.0.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
