Skip to main content

SolarWinds Web Help Desk EUVDEUVD-2026-34017

| CVE-2026-28299 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-02 SolarWinds GHSA-f247-223f-rhfm
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 02, 2026 - 20:23 vuln.today
CVE Published
Jun 02, 2026 - 19:31 nvd
HIGH 8.2

DescriptionCVE.org

SolarWinds Web Help Desk is found to be affected by a denial-of-service vulnerability, which when exploited, could cause the Web Help Desk server to crash due to insufficient memory.

AnalysisAI

Denial-of-service in SolarWinds Web Help Desk allows remote unauthenticated attackers to crash the server by exhausting available memory. The flaw is network-reachable with low attack complexity and requires no privileges or user interaction (CVSS 8.2), and no public exploit identified at time of analysis. The issue was reported by SolarWinds and addressed in the Web Help Desk 2026.2 release.

Technical ContextAI

SolarWinds Web Help Desk is a Java-based IT service management and ticketing platform commonly deployed as an internet- or intranet-facing web application. The root cause maps to CWE-770 (Allocation of Resources Without Limits or Throttling), meaning the application accepts attacker-influenced input that drives memory allocation without enforcing an upper bound. When repeatedly or maliciously triggered, the JVM exhausts heap memory and the Web Help Desk server process crashes, taking the ticketing system offline until restarted. The single CPE entry (cpe:2.3:a:solarwinds:web_help_desk:*) indicates the vulnerability is scoped to the Web Help Desk product line rather than a shared SolarWinds component.

RemediationAI

Upgrade SolarWinds Web Help Desk to version 2026.2 or later, which per the SolarWinds release notes (https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-2_release_notes.htm) addresses this issue; consult the vendor advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28299 for any prerequisite patches or upgrade paths from older branches. Until the upgrade can be scheduled, restrict network reachability of the Web Help Desk web interface to trusted networks via firewall ACLs or VPN, and place the application behind a reverse proxy or WAF that can rate-limit and cap request body sizes to reduce the practical ability to drive memory growth - note that aggressive rate-limiting may also throttle legitimate technicians and end-users submitting large tickets or attachments. Configure JVM and OS monitoring to alert on heap pressure and auto-restart the service so an attack causes brief outages rather than prolonged downtime; this masks symptoms but does not prevent exploitation.

CVE-2025-40551 CRITICAL POC
9.8 Jan 28

SolarWinds Web Help Desk contains an unauthenticated Java deserialization vulnerability (CVE-2025-40551, CVSS 9.8) that

CVE-2025-40536 HIGH POC
8.1 Jan 28

SolarWinds Web Help Desk contains a security control bypass vulnerability (CVE-2025-40536) that allows unauthenticated a

CVE-2025-40552 CRITICAL POC
9.8 Jan 28

SolarWinds Web Help Desk has an authentication bypass vulnerability (EPSS 9.9%) that allows unauthenticated attackers to

CVE-2025-40554 CRITICAL POC
9.8 Jan 28

SolarWinds Web Help Desk has a second authentication bypass (EPSS 7.8%) providing yet another path to unauthenticated ad

CVE-2024-28986 CRITICAL POC
9.8 Aug 13

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that,

CVE-2024-28987 CRITICAL POC
9.1 Aug 21

The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthe

CVE-2025-40553 CRITICAL
9.8 Jan 28

SolarWinds Web Help Desk has a second deserialization vulnerability (EPSS 11.9%) providing another unauthenticated RCE p

CVE-2024-28988 CRITICAL
9.8 Sep 01

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that,

CVE-2025-40537 HIGH
7.5 Jan 28

SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situat

CVE-2021-35243 HIGH
7.5 Dec 23

The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to exe

CVE-2024-28989 MEDIUM
5.5 Feb 11

SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive in

CVE-2024-45709 MEDIUM
5.5 Dec 10

SolarWinds Web Help Desk was susceptible to a local file read vulnerability. Rated medium severity (CVSS 5.5), this vuln

Share

EUVD-2026-34017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy