Severity by source
AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
Adjacent vector reflects internal-only DPA deployment; PR:H and UI:R match admin-injection and victim-browse requirements; no availability impact for XSS.
Primary rating from Vendor (SolarWinds).
CVSS VectorVendor: SolarWinds
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
SolarWinds Database Performance Analyzer was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.
AnalysisAI
Stored cross-site scripting in SolarWinds Database Performance Analyzer enables a highly privileged, adjacent-network attacker to persist malicious scripts in the application that execute within other users' browsers upon page load. The CVSS vector (AV:A/AC:H/PR:H/UI:R) imposes substantial constraints - adjacency, high complexity, admin-level credentials, and victim interaction are all required - limiting realistic risk to insider-threat or post-compromise scenarios. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold high-privilege (PR:H) credentials within the SolarWinds DPA application - consistent with a database administrator or DPA admin role - sufficient to write to stored fields rendered in the web interface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N) with a base score of 5.6 accurately reflects a heavily gated exploit chain despite the high confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious database administrator or compromised high-privilege DPA account, operating from the internal management network, injects a JavaScript payload into a persistent DPA field such as an alert definition, dashboard label, or annotation. When a legitimate DPA user subsequently navigates to the page rendering that field, their browser silently executes the script, which could exfiltrate their session cookie to an attacker-controlled endpoint, enabling session hijacking without further credentials. |
| Remediation | Upgrade SolarWinds Database Performance Analyzer to version 2026.2 or later, as indicated by the DPA 2026.2 release notes available at https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2026-2_release_notes.htm; confirm the exact patched version via the vendor advisory at https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28322. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
No exception handling vulnerability which revealed sensitive or excessive information to users. Rated high severity (CVS
Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the serv
XSS attack was possible in DPA 2023.2 due to insufficient input validation. Rated medium severity (CVSS 6.1), this vulne
This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from header
SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. Rated medium severity (CVS
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40457
GHSA-5j72-hhf9-wpj4