DSA-2026-287: Security Update Dell PowerProtect Data Manager for Multiple Security Vulnerabilities
Résumé: Dell PowerProtect Data Manager remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Impact
Critical
Détails
|
Third-party Component |
CVEs |
More Information |
|
Apache Log4j |
CVE-2026-34479, CVE-2026-34480, CVE-2026-34478, CVE-2026-34477, CVE-2026-34481 |
|
|
Apache Tomcat |
CVE-2026-34500, CVE-2026-34487, CVE-2026-34483, CVE-2026-32990, CVE-2026-29146, CVE-2026-29145, CVE-2026-29129, CVE-2026-25854, CVE-2026-34486, CVE-2026-34487, CVE-2026-34500, CVE-2026-29146 |
|
|
JetBrains Kotlin |
CVE-2020-29582 |
|
|
Thymeleaf |
CVE-2026-40477, CVE-2026-40478 |
|
|
OpenTelemetry-Java |
CVE-2026-45292 |
|
|
SimpleXML |
CVE-2017-1000190 |
|
|
golang.org/x/net/http2 |
CVE-2026-27141 |
|
|
mongo-go-driver |
CVE-2026-2303 |
|
|
opentelemetry-go |
CVE-2026-39883, CVE-2026-39882 |
|
|
jinja2 golang |
CVE-2026-33814, CVE-2026-39836, CVE-2026-33811, CVE-2026-39826 |
|
|
Axios |
CVE-2026-40175, CVE-2025-62718, CVE-2026-42043, CVE-2026-42044, CVE-2026-42264 |
|
|
Leaflet |
CVE-2025-69993 |
|
|
Angular |
CVE-2026-32635, CVE-2026-41423 |
|
|
Linux kernel |
CVE-2023-2058, CVE-2023-53817, CVE-2024-38542, CVE-2025-37861, CVE-2025-39817, CVE-2025-39964, CVE-2025-39998, CVE-2025-40099, CVE-2025-40103, CVE-2025-40253, CVE-2025-54518, CVE-2025-71066, CVE-2025-71113, CVE-2025-71231, CVE-2026-23004, CVE-2026-23054, CVE-2026-23060, CVE-2026-23074, CVE-2026-23089, CVE-2026-23103, CVE-2026-23111, CVE-2026-23141, CVE-2026-23157, CVE-2026-23191, CVE-2026-23202, CVE-2026-23204, CVE-2026-23207, CVE-2026-23209, CVE-2026-23214, CVE-2026-23231, CVE-2026-23239, CVE-2026-23240, CVE-2026-23243, CVE-2026-23268, CVE-2026-23269, CVE-2026-23271, CVE-2026-23272, CVE-2026-23273, CVE-2026-23274, CVE-2026-23278, CVE-2026-23293, CVE-2026-23317, CVE-2026-23351, CVE-2026-23381, CVE-2026-23393, CVE-2026-23398, CVE-2026-23403, CVE-2026-23404, CVE-2026-23405, CVE-2026-23406, CVE-2026-23407, CVE-2026-23408, CVE-2026-23409, CVE-2026-23410, CVE-2026-23411, CVE-2026-23412, CVE-2026-23413, CVE-2026-23449, CVE-2026-23450, CVE-2026-23458, CVE-2026-23461, CVE-2026-23462, CVE-2026-31402, CVE-2026-31403, CVE-2026-31405, CVE-2026-31408, CVE-2026-31431, CVE-2026-31436, CVE-2026-31470, CVE-2026-31473, CVE-2026-31504, CVE-2026-31505, CVE-2026-31507, CVE-2026-31512, CVE-2026-31528, CVE-2026-31533, CVE-2026-31570, CVE-2026-31586, CVE-2026-31588, CVE-2026-31602, CVE-2026-31607, CVE-2026-31613, CVE-2026-31614, CVE-2026-31622, CVE-2026-31629, CVE-2026-31649, CVE-2026-31656, CVE-2026-31662, CVE-2026-31669, CVE-2026-31685, CVE-2026-31694, CVE-2026-31700, CVE-2026-31738, CVE-2026-31758, CVE-2026-31787, CVE-2026-31788, CVE-2026-43025, CVE-2026-43027, CVE-2026-43037, CVE-2026-43038, CVE-2026-43044, CVE-2026-43050, CVE-2026-43110, CVE-2026-43120, CVE-2026-43126, CVE-2026-43190, CVE-2026-43206, CVE-2026-43214, CVE-2026-43284, CVE-2026-43329, CVE-2026-43330, CVE-2026-43334, CVE-2026-43362, CVE-2026-43365, CVE-2026-43366, CVE-2026-43437, CVE-2026-43494, CVE-2026-43499, CVE-2026-43501, CVE-2026-43503, CVE-2026-45852, CVE-2026-45910, CVE-2026-45970, CVE-2026-46004, CVE-2026-46021, CVE-2026-46043, CVE-2026-46113, CVE-2026-46114, CVE-2026-46300, CVE-2026-46333 |
|
|
XZ Utils |
CVE-2026-34743 |
|
|
SSH servers |
CVE-2025-58181 |
|
|
GnuTLS |
CVE-2025-14831, CVE-2026-33845, CVE-2026-33846, CVE-2026-3833, CVE-2026-42009, CVE-2026-42010, CVE-2026-42011, CVE-2026-42012, CVE-2026-42013, CVE-2026-42014, CVE-2026-42015, CVE-2026-5260, CVE-2026-5419 |
|
|
Python cryptography |
CVE-2020-25659, CVE-2020-36242, CVE-2023-23931, CVE-2023-38325, CVE-2023-49083, CVE-2024-26130, CVE-2025-3416 |
|
|
rpc.mountd daemon nfs-utils |
CVE-2025-12801 |
|
|
PyYAML |
CVE-2017-18342, CVE-2020-14343, CVE-2020-1747 |
|
|
OAuthLib |
CVE-2022-36087 |
|
|
Requests |
CVE-2015-2296, CVE-2018-18074, CVE-2023-32681, CVE-2024-35195, CVE-2024-47081 |
|
|
Python (CPython) |
CVE-2025-13462, CVE-2026-1299, CVE-2026-1502, CVE-2026-3446, CVE-2026-3479, CVE-2026-3644, CVE-2026-4224, CVE-2026-4519, CVE-2026-4786, CVE-2026-6019, CVE-2026-6100 |
|
|
cloud-init |
CVE-2024-11584, CVE-2024-6174 |
|
|
Oracle Java SE Oracle GraalVM for JDK Oracle GraalVM |
CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282 |
|
|
BIND resolver |
CVE-2026-1519 |
|
|
pyasn1 |
CVE-2026-30922 |
|
|
Sudo |
CVE-2026-35535 |
|
|
setuptools |
CVE-2024-6345, CVE-2025-47273 |
|
|
OpenSSH |
CVE-2026-3497, CVE-2026-35385, CVE-2026-35388, CVE-2026-35414 |
|
|
kjd/idna |
CVE-2024-3651 |
|
|
XSM/Flask |
CVE-2025-54505, CVE-2025-54518, CVE-2025-58150, CVE-2026-23553, CVE-2026-23554, CVE-2026-23555, CVE-2026-23557, CVE-2026-23558, CVE-2026-42487, CVE-2026-42488, CVE-2026-42489, CVE-2026-42490 |
|
|
webbrowser.open() |
CVE-2020-15523, CVE-2020-15801, CVE-2022-42919, CVE-2022-4303, CVE-2023-41105, CVE-2024-4030, CVE-2024-8088, CVE-2025-12781, CVE-2025-13462, CVE-2025-1795, CVE-2026-1299, CVE-2026-2297, CVE-2026-3479, CVE-2026-3644, CVE-2026-4224, CVE-2026-4519 |
|
|
Jinja |
CVE-2016-10745, CVE-2019-10906, CVE-2019-8341, CVE-2020-28493, CVE-2024-22195, CVE-2024-34064, CVE-2024-56201, CVE-2024-56326, CVE-2025-27516 |
|
|
configobj |
CVE-2023-26112 |
|
|
Erlang OTP |
CVE-2025-48038, CVE-2025-48039, CVE-2025-48040, CVE-2026-21620, CVE-2026-23941, CVE-2026-23942, CVE-2026-23943, CVE-2026-28808, CVE-2026-32147 |
|
|
libpng |
CVE-2026-33416, CVE-2026-33636 |
|
|
pyOpenSSL |
CVE-2026-27448, CVE-2026-27459 |
|
|
haveged |
CVE-2026-41054 |
|
|
glibc |
CVE-2026-4046, CVE-2026-4437, CVE-2026-4438, CVE-2026-5450, CVE-2026-5928 |
|
|
libcurl |
CVE-2025-14017, CVE-2025-14524, CVE-2025-14819, CVE-2025-15079, CVE-2025-15224, CVE-2026-1965, CVE-2026-3783, CVE-2026-3784, CVE-2026-3805, CVE-2026-4873, CVE-2026-5545, CVE-2026-6253, CVE-2026-6276, CVE-2026-6429 |
|
|
OpenPrinting CUPS |
CVE-2026-34990 |
|
|
util-linux |
CVE-2025-14104, CVE-2026-3184 |
|
|
vim |
CVE-2026-26269, CVE-2026-28417, CVE-2026-33412, CVE-2026-34714, CVE-2026-34982, CVE-2026-39881, CVE-2026-42307, CVE-2026-43961, CVE-2026-44656, CVE-2026-45130, CVE-2026-46483 |
|
|
libcap |
CVE-2026-4878 |
|
|
GNU Tar |
CVE-2025-45582 |
|
|
postgresql |
CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006, CVE-2026-6472, CVE-2026-6473, CVE-2026-6474, CVE-2026-6475, CVE-2026-6476, CVE-2026-6477, CVE-2026-6478, CVE-2026-6479, CVE-2026-6637, CVE-2026-6638 |
|
|
systemd |
CVE-2026-29111, CVE-2026-4105 |
|
|
busybox |
CVE-2026-29004 |
|
|
openssl |
CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789 |
|
|
gdk-pixbuf |
CVE-2026-5201 |
|
|
openssl |
CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790 |
|
|
py |
CVE-2020-29651, CVE-2022-42969 |
|
|
PostgreSQL |
CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, CVE-2026-2006, CVE-2026-2007, CVE-2026-6472, CVE-2026-6473, CVE-2026-6474, CVE-2026-6475, CVE-2026-6476, CVE-2026-6477, CVE-2026-6478, CVE-2026-6479, CVE-2026-6575, CVE-2026-6637, CVE-2026-6638 |
|
|
urllib3 |
CVE-2025-66418, CVE-2025-66471, CVE-2026-21441, CVE-2026-44431 |
|
|
samba |
CVE-2026-2340, CVE-2026-3012, CVE-2026-3238, CVE-2026-4408, CVE-2026-4480 |
|
|
libexpat |
CVE-2026-24515, CVE-2026-25210, CVE-2026-32776, CVE-2026-32777, CVE-2026-32778 |
|
|
libtiff |
CVE-2026-4775 |
|
|
nghttp2 |
CVE-2026-27135 |
|
|
PyJWT |
CVE-2026-32597 |
|
Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|
CVE-2026-40712 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) an Improper Input Validation vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. |
9.1 |
|
|
CVE-2026-49499 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) a Generation of Incorrect Security Tokens vulnerability in the IAM. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. |
8.8 |
|
|
CVE-2026-46738 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) an Improper Input Validation vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. |
7.2 |
|
|
CVE-2026-40714 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) an Improper Input Validation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. |
7.2 |
|
|
CVE-2026-46737 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) an Improper Input Validation vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote execution. |
6.7 |
|
|
CVE-2026-44276 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the REST API. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. |
6.0 |
|
Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|
CVE-2026-40712 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) an Improper Input Validation vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. |
9.1 |
|
|
CVE-2026-49499 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) a Generation of Incorrect Security Tokens vulnerability in the IAM. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. |
8.8 |
|
|
CVE-2026-46738 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) an Improper Input Validation vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. |
7.2 |
|
|
CVE-2026-40714 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) an Improper Input Validation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. |
7.2 |
|
|
CVE-2026-46737 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) an Improper Input Validation vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote execution. |
6.7 |
|
|
CVE-2026-44276 |
Dell PowerProtect Data Manager, versions prior to 20.2.0.0, contain(s) an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the REST API. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. |
6.0 |
Produits concernés et mesure corrective
|
Product |
Affected Versions |
Remediated Versions |
Link |
|
Dell PowerProtect Data Manager |
Versions prior to 20.2.0.0 |
20.2.0.0 or later |
|
Product |
Affected Versions |
Remediated Versions |
Link |
|
Dell PowerProtect Data Manager |
Versions prior to 20.2.0.0 |
20.2.0.0 or later |
Historique des révisions
|
Revision |
Date |
Description |
|
1.0 |
2026-07-14 |
Initial Release |
|
2.0 |
2026-07-15 |
Updated Acknowledgements |
Remerciements
- CVE-2026-44276: Dell would like to thank shauntp for reporting this issue.
- CVE-2026-40712: Dell would like to thank WinD39 - Huynh Dinh Vu and Haxship1337 - Huynh Dinh Van for reporting this issue.
- CVE-2026-46738, CVE-2026-46737, CVE-2026-40714: Dell would like to thank WinD39 - Huynh Dinh Vu for reporting this issue.