Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41122

CVE-2026-41122: Dell Data Domain Operating System XSS Flaw

CVE-2026-41122 is a stored XSS vulnerability in Dell PowerProtect Data Domain Operating System that enables unauthenticated attackers to steal sessions and disclose data. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-41122 Overview

CVE-2026-41122 is a stored cross-site scripting (XSS) vulnerability affecting Dell PowerProtect Data Domain, tracked under [CWE-79]. The flaw resides in the Data Domain Operating System web interface and allows an unauthenticated remote attacker to inject persistent malicious script content. When an authenticated user renders the affected page, the injected payload executes in their browser context. Successful exploitation can lead to information disclosure, session theft, and client-side request forgery against the management interface. Dell has published advisory DSA-2026-278 addressing the issue across multiple release trains, including LTS2024, LTS2025, and LTS2026 branches.

Critical Impact

An unauthenticated attacker with network access to the Data Domain management interface can inject stored script payloads that execute in administrator browsers, enabling session hijacking against enterprise backup infrastructure.

Affected Products

  • Dell PowerProtect Data Domain versions 7.7.1.0 through 8.7
  • Dell PowerProtect Data Domain LTS2026 versions 8.6.1.0 through 8.6.1.10 and LTS2025 versions 8.3.1.0 through 8.3.1.30
  • Dell PowerProtect Data Domain LTS2024 versions 7.13.1.0 through 7.13.1.70

Discovery Timeline

  • 2026-07-08 - CVE-2026-41122 published to the National Vulnerability Database
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-41122

Vulnerability Analysis

The vulnerability is a stored cross-site scripting flaw in the Dell Data Domain Operating System (DDOS) web management surface. Stored XSS occurs when user-controllable input is persisted on the server without proper output encoding and later rendered in the browser as executable script. In this case, the input vector is reachable prior to authentication, which broadens the attack surface considerably. Any input handler that accepts data over the network and later reflects that data into an authenticated administrator's view can carry the payload. Because Data Domain appliances are widely used as backup targets, the management interface is trusted by backup operators and storage administrators.

Root Cause

The root cause is missing or insufficient neutralization of script-bearing input during web page generation, consistent with [CWE-79]. Input entering an unauthenticated endpoint is stored and later rendered without contextual output encoding, allowing HTML and JavaScript to break out of intended data contexts.

Attack Vector

The attack vector is network-based and requires user interaction, as the payload activates when a victim loads the affected page. The scope is changed, meaning the injected script executes in a context beyond the attacker's initial authorization boundary, impacting the administrator session. Refer to the Dell Security Update DSA-2026-278 for vendor technical details.

Detection Methods for CVE-2026-41122

Indicators of Compromise

  • Unexpected <script>, onerror, or javascript: fragments stored in Data Domain management fields, log entries, or configuration objects.
  • Administrator browser sessions issuing unusual outbound requests or unexpected API calls to the Data Domain appliance shortly after loading a management page.
  • Anomalous session token reuse from IP addresses that do not match the originating administrator workstation.

Detection Strategies

  • Review DDOS web server access logs for POST or PUT requests from unauthenticated sources containing HTML entities, angle brackets, or encoded script keywords.
  • Inspect stored configuration and comment fields in the management interface for injected markup that would render as script.
  • Correlate administrator login events with subsequent client-side activity to identify sessions that trigger anomalous API traffic immediately after page loads.

Monitoring Recommendations

  • Restrict and log all access to the Data Domain management interface, alerting on unauthenticated requests that submit form data.
  • Enable browser-side Content Security Policy (CSP) violation reporting where supported to surface unexpected inline script execution.
  • Monitor for creation or modification of Data Domain administrative accounts, replication targets, or retention policies immediately following management UI access.

How to Mitigate CVE-2026-41122

Immediate Actions Required

  • Apply the fixed release identified in Dell Security Update DSA-2026-278 to all affected LTS2024, LTS2025, LTS2026, and mainline Data Domain systems.
  • Restrict network reachability of the Data Domain management interface to trusted administrative subnets and jump hosts only.
  • Rotate administrator credentials and invalidate active management sessions after patching to remove any tokens that may have been captured.

Patch Information

Dell has released fixed builds for Dell PowerProtect Data Domain across the affected trains. Upgrade paths and specific fixed versions for the 7.7.1.08.7 range, LTS2026 8.6.1.x, LTS2025 8.3.1.x, and LTS2024 7.13.1.x branches are documented in advisory DSA-2026-278. Customers should consult the advisory to select the correct fixed release for their deployed train and schedule the upgrade through standard change control.

Workarounds

  • Place the Data Domain management interface behind a reverse proxy or web application firewall configured to strip or block script-bearing payloads until patches are applied.
  • Limit administrator browser access to Data Domain to dedicated, hardened workstations that do not share sessions with general-purpose browsing.
  • Enforce short session lifetimes and require re-authentication for sensitive management operations to reduce the window in which stolen tokens remain valid.
bash
# Configuration example: restrict management interface access at the network layer
# (adjust interface and subnet to match your environment)
iptables -A INPUT -p tcp --dport 443 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.