CVE-2026-0209
published 2026-04-14CVE-2026-0209: Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured.
PriorityP336medium6.9CVSS 4.0
AVNACLATNPRHUINVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.38%
29.7th percentile
Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| purestorage | flasharray | — | — |
| purestorage | flasharray | 5.0.0 – 5.3.21 | — |
| purestorage | flasharray | 6.0.0 – 6.4.10 | — |
| purestorage | flasharray | 6.5.0 – 6.5.12 | — |
| purestorage | flasharray | 6.6.0 – 6.6.11 | — |
| purestorage | flasharray | 6.7.0 – 6.7.6 | — |
| purestorage | flasharray | 6.8.0 – 6.8.9 | — |
| purestorage | flasharray | 6.9.0 – 6.9.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jhcx-2f94-4747: Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured
ghsa_unreviewed·2026-04-14
CVE-2026-0209 [MEDIUM] CWE-783 GHSA-jhcx-2f94-4747: Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured
Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured.
VulDB
PureStorage FlashArray up to 6.10.0 operator precedence logic error
vuldb·2026-04-14·CVSS 6.9
CVE-2026-0209 [MEDIUM] PureStorage FlashArray up to 6.10.0 operator precedence logic error
A vulnerability, which was classified as problematic, was found in PureStorage FlashArray up to 6.10.0. Affected is an unknown function. The manipulation results in operator precedence logic error.
This vulnerability is identified as CVE-2026-0209. The attack can be executed remotely. There is not any exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-14
Published