{"api_version":"1","generated_at":"2026-04-22T22:50:33+00:00","cve":"CVE-2026-35072","urls":{"html":"https://cve.report/CVE-2026-35072","api":"https://cve.report/api/cve/CVE-2026-35072.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-35072","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-35072"},"summary":{"title":"CVE-2026-35072","description":"Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command ('OS command injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.","state":"PUBLISHED","assigner":"dell","published_at":"2026-04-17 11:16:10","updated_at":"2026-04-17 15:07:18"},"problem_types":["CWE-78","CWE-78 CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"metrics":[{"version":"3.1","source":"security_alert@emc.com","type":"Secondary","score":"6.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":6.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"6.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":6.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities","name":"https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities","refsource":"security_alert@emc.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-35072","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35072","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Dell","product":"PowerProtect Data Domain","version":"affected 8.6.1.10, 8.7.0.1 or later semver","platforms":[]},{"source":"CNA","vendor":"Dell","product":"PowerProtect Data Domain","version":"affected 8.3.1.30 or later semver","platforms":[]},{"source":"CNA","vendor":"Dell","product":"PowerProtect Data Domain","version":"affected 7.13.1.70 or later semver","platforms":[]},{"source":"CNA","vendor":"Dell","product":"PowerProtect Data Domain","version":"affected 2.7.9 with DD OS 8.3.1.30 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"35072","cve":"CVE-2026-35072","epss":"0.000180000","percentile":"0.044510000","score_date":"2026-04-21","updated_at":"2026-04-22 00:07:41"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"PowerProtect Data Domain","vendor":"Dell","versions":[{"lessThan":"8.6.1.10, 8.7.0.1 or later","status":"affected","version":"0","versionType":"semver"},{"lessThan":"8.3.1.30 or later","status":"affected","version":"0","versionType":"semver"},{"lessThan":"7.13.1.70 or later","status":"affected","version":"0","versionType":"semver"},{"lessThan":"2.7.9 with DD OS 8.3.1.30","status":"affected","version":"0","versionType":"semver"}]}],"datePublic":"2026-04-15T18:30:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command ('OS command injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges."}],"value":"Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command ('OS command injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":6.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-17T10:48:48.167Z","orgId":"c550e75a-17ff-4988-97f0-544cde3820fe","shortName":"dell"},"references":[{"tags":["vendor-advisory"],"url":"https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"c550e75a-17ff-4988-97f0-544cde3820fe","assignerShortName":"dell","cveId":"CVE-2026-35072","datePublished":"2026-04-17T10:48:48.167Z","dateReserved":"2026-04-01T05:04:41.954Z","dateUpdated":"2026-04-17T10:48:48.167Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-17 11:16:10","lastModifiedDate":"2026-04-17 15:07:18","problem_types":["CWE-78","CWE-78 CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"metrics":{"cvssMetricV31":[{"source":"security_alert@emc.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":6.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":0.8,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"35072","Ordinal":"1","Title":"CVE-2026-35072","CVE":"CVE-2026-35072","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"35072","Ordinal":"1","NoteData":"Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command ('OS command injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.","Type":"Description","Title":"CVE-2026-35072"}]}}}