CVE-2026-41122 Overview
CVE-2026-41122 is a stored cross-site scripting (XSS) vulnerability affecting Dell PowerProtect Data Domain, tracked under [CWE-79]. The flaw resides in the Data Domain Operating System web interface and allows an unauthenticated remote attacker to inject persistent malicious script content. When an authenticated user renders the affected page, the injected payload executes in their browser context. Successful exploitation can lead to information disclosure, session theft, and client-side request forgery against the management interface. Dell has published advisory DSA-2026-278 addressing the issue across multiple release trains, including LTS2024, LTS2025, and LTS2026 branches.
Critical Impact
An unauthenticated attacker with network access to the Data Domain management interface can inject stored script payloads that execute in administrator browsers, enabling session hijacking against enterprise backup infrastructure.
Affected Products
- Dell PowerProtect Data Domain versions 7.7.1.0 through 8.7
- Dell PowerProtect Data Domain LTS2026 versions 8.6.1.0 through 8.6.1.10 and LTS2025 versions 8.3.1.0 through 8.3.1.30
- Dell PowerProtect Data Domain LTS2024 versions 7.13.1.0 through 7.13.1.70
Discovery Timeline
- 2026-07-08 - CVE-2026-41122 published to the National Vulnerability Database
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-41122
Vulnerability Analysis
The vulnerability is a stored cross-site scripting flaw in the Dell Data Domain Operating System (DDOS) web management surface. Stored XSS occurs when user-controllable input is persisted on the server without proper output encoding and later rendered in the browser as executable script. In this case, the input vector is reachable prior to authentication, which broadens the attack surface considerably. Any input handler that accepts data over the network and later reflects that data into an authenticated administrator's view can carry the payload. Because Data Domain appliances are widely used as backup targets, the management interface is trusted by backup operators and storage administrators.
Root Cause
The root cause is missing or insufficient neutralization of script-bearing input during web page generation, consistent with [CWE-79]. Input entering an unauthenticated endpoint is stored and later rendered without contextual output encoding, allowing HTML and JavaScript to break out of intended data contexts.
Attack Vector
The attack vector is network-based and requires user interaction, as the payload activates when a victim loads the affected page. The scope is changed, meaning the injected script executes in a context beyond the attacker's initial authorization boundary, impacting the administrator session. Refer to the Dell Security Update DSA-2026-278 for vendor technical details.
Detection Methods for CVE-2026-41122
Indicators of Compromise
- Unexpected <script>, onerror, or javascript: fragments stored in Data Domain management fields, log entries, or configuration objects.
- Administrator browser sessions issuing unusual outbound requests or unexpected API calls to the Data Domain appliance shortly after loading a management page.
- Anomalous session token reuse from IP addresses that do not match the originating administrator workstation.
Detection Strategies
- Review DDOS web server access logs for POST or PUT requests from unauthenticated sources containing HTML entities, angle brackets, or encoded script keywords.
- Inspect stored configuration and comment fields in the management interface for injected markup that would render as script.
- Correlate administrator login events with subsequent client-side activity to identify sessions that trigger anomalous API traffic immediately after page loads.
Monitoring Recommendations
- Restrict and log all access to the Data Domain management interface, alerting on unauthenticated requests that submit form data.
- Enable browser-side Content Security Policy (CSP) violation reporting where supported to surface unexpected inline script execution.
- Monitor for creation or modification of Data Domain administrative accounts, replication targets, or retention policies immediately following management UI access.
How to Mitigate CVE-2026-41122
Immediate Actions Required
- Apply the fixed release identified in Dell Security Update DSA-2026-278 to all affected LTS2024, LTS2025, LTS2026, and mainline Data Domain systems.
- Restrict network reachability of the Data Domain management interface to trusted administrative subnets and jump hosts only.
- Rotate administrator credentials and invalidate active management sessions after patching to remove any tokens that may have been captured.
Patch Information
Dell has released fixed builds for Dell PowerProtect Data Domain across the affected trains. Upgrade paths and specific fixed versions for the 7.7.1.0–8.7 range, LTS2026 8.6.1.x, LTS2025 8.3.1.x, and LTS2024 7.13.1.x branches are documented in advisory DSA-2026-278. Customers should consult the advisory to select the correct fixed release for their deployed train and schedule the upgrade through standard change control.
Workarounds
- Place the Data Domain management interface behind a reverse proxy or web application firewall configured to strip or block script-bearing payloads until patches are applied.
- Limit administrator browser access to Data Domain to dedicated, hardened workstations that do not share sessions with general-purpose browsing.
- Enforce short session lifetimes and require re-authentication for sensitive management operations to reduce the window in which stolen tokens remain valid.
# Configuration example: restrict management interface access at the network layer
# (adjust interface and subnet to match your environment)
iptables -A INPUT -p tcp --dport 443 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

