CVE-2026-28263: XSS in Dell PowerProtect Data Domain
Platform
linux
Component
dell-powerprotect-data-domain
Fixed in
8.6.0.0 or later
CVE-2026-28263 describes a cross-site scripting (XSS) vulnerability present in Dell PowerProtect Data Domain. Successful exploitation could allow a high-privileged attacker with remote access to inject malicious scripts into the system. This vulnerability impacts versions 7.7.1.0 through 8.5, LTS2025 versions 8.3.1.0 through 8.3.1.20, and LTS2024 versions 7.13.1.0 through 7.13.1.50. Dell has released a patch in version 8.6.0.0 and later.
Impact and Attack Scenarios
The primary impact of this XSS vulnerability lies in the potential for an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Data Domain appliance. This could lead to various malicious actions, including the theft of sensitive data such as credentials, session cookies, or other confidential information stored within the appliance's web interface. An attacker could also potentially redirect users to malicious websites, deface the Data Domain interface, or even gain further access to the underlying system if the injected script can exploit other vulnerabilities. The high-privilege requirement mitigates some risk, but access to administrative interfaces is often a prime target for attackers.
Exploitation Context
This vulnerability was published on April 17, 2026. Severity is currently assessed as Medium. There are no known public exploits or active campaigns targeting this specific vulnerability at the time of publication. It is not currently listed on CISA’s Known Exploited Vulnerabilities catalog. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Threat Intelligence
Exploit Status
EPSS
0.01% (1% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- Required — victim must take an action: open a file, click a link, or visit a crafted page.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- Low — partial or intermittent denial of service. Attacker can degrade performance.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The recommended mitigation is to upgrade to Dell PowerProtect Data Domain version 8.6.0.0 or later, which contains the fix for this vulnerability. If immediate upgrading is not feasible, consider implementing temporary workarounds such as strict input validation and output encoding within the Data Domain web interface. Employing a Web Application Firewall (WAF) with XSS filtering rules can also help to block malicious requests. Regularly review and update firewall rules to ensure they are effective against emerging threats. After upgrading, verify the fix by attempting to inject a simple script through the web interface and confirming that it is properly sanitized.
How to fix
Actualice su sistema Dell PowerProtect Data Domain a la versión 8.6.0.0 o posterior, o a la versión 8.3.1.20 o posterior para LTS2025, o a la versión 7.13.1.50 o posterior para LTS2024. Consulte la nota de Dell Security Advisory DSA-2026-060 para obtener más detalles e instrucciones de actualización.
Frequently asked questions
What is CVE-2026-28263 — XSS in Dell PowerProtect Data Domain?
CVE-2026-28263 is a cross-site scripting (XSS) vulnerability affecting Dell PowerProtect Data Domain versions 7.7.1.0–8.6.0.0, allowing attackers to inject scripts with remote access.
Am I affected by CVE-2026-28263 in Dell PowerProtect Data Domain?
You are affected if your Dell PowerProtect Data Domain is running versions 7.7.1.0 through 8.5, LTS2025 versions 8.3.1.0 through 8.3.1.20, or LTS2024 versions 7.13.1.0 through 7.13.1.50.
How do I fix CVE-2026-28263 in Dell PowerProtect Data Domain?
Upgrade to Dell PowerProtect Data Domain version 8.6.0.0 or later. Consider temporary workarounds like input validation and WAF rules if immediate upgrade isn't possible.
Is CVE-2026-28263 being actively exploited?
Currently, there are no known public exploits or active campaigns targeting CVE-2026-28263, but continuous monitoring is recommended.
Where can I find the official Dell advisory for CVE-2026-28263?
Refer to the official Dell Security Advisory for CVE-2026-28263, published on April 17, 2026. Check Dell's support website for the latest information.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...