Skip to main content

Solarwinds Observability Self Hosted EUVDEUVD-2026-16185

| CVE-2026-28298 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 SolarWinds GHSA-c2f7-jh9g-224w
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 14:30 euvd
EUVD-2026-16185
Analysis Generated
Mar 26, 2026 - 14:30 vuln.today
CVE Published
Mar 26, 2026 - 14:08 nvd
MEDIUM 5.9

DescriptionCVE.org

SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.

AnalysisAI

SolarWinds Observability Self-Hosted versions 2026.1.1 and earlier contain a stored cross-site scripting (XSS) vulnerability that permits authenticated high-privilege users to inject malicious scripts into the application, resulting in unintended script execution when other users access affected pages. The vulnerability requires high privilege level and user interaction to exploit, limiting real-world attack surface; no public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a stored XSS flaw in which user-supplied input is not properly sanitized before being persisted in the application database and subsequently rendered in web pages. SolarWinds Observability Self-Hosted (CPE: cpe:2.3:a:solarwinds:solarwinds_observability_self-hosted:*:*:*:*:*:*:*:*) is a self-hosted observability platform that processes and displays monitoring data. The vulnerability exists in the web application tier where administrative or high-privilege users can inject script payloads through input fields that are inadequately filtered, leading to execution in the browser context of other users when they view stored content.

RemediationAI

Upgrade SolarWinds Observability Self-Hosted to a version released after 2026.1.1; consult the SolarWinds security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28298 for the specific patched version number and availability. Until patching is feasible, restrict administrative access to the application to trusted internal users only, enforce network segmentation to limit access from the local network to authorized personnel, and conduct user awareness training to recognize and report suspicious content modifications in dashboards. Additionally, implement Content Security Policy (CSP) headers where possible to mitigate XSS payload execution even if stored payloads are present.

Share

EUVD-2026-16185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy