Skip to main content

Database Performance Analyzer EUVDEUVD-2026-40457

| CVE-2026-28322 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 SolarWinds GHSA-5j72-hhf9-wpj4
5.6
CVSS 3.1 · Vendor: SolarWinds
Share

Severity by source

Vendor (SolarWinds) PRIMARY
5.6 MEDIUM
AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
5.6 MEDIUM

Adjacent vector reflects internal-only DPA deployment; PR:H and UI:R match admin-injection and victim-browse requirements; no availability impact for XSS.

3.1 AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
4.0 AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (SolarWinds).

CVSS VectorVendor: SolarWinds

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 23:41 vuln.today

DescriptionCVE.org

SolarWinds Database Performance Analyzer was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.

AnalysisAI

Stored cross-site scripting in SolarWinds Database Performance Analyzer enables a highly privileged, adjacent-network attacker to persist malicious scripts in the application that execute within other users' browsers upon page load. The CVSS vector (AV:A/AC:H/PR:H/UI:R) imposes substantial constraints - adjacency, high complexity, admin-level credentials, and victim interaction are all required - limiting realistic risk to insider-threat or post-compromise scenarios. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege DPA credentials
Delivery
Inject script into stored DPA field
Exploit
Victim admin browses affected page
Execution
Browser executes stored payload
Impact
Session token exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold high-privilege (PR:H) credentials within the SolarWinds DPA application - consistent with a database administrator or DPA admin role - sufficient to write to stored fields rendered in the web interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N) with a base score of 5.6 accurately reflects a heavily gated exploit chain despite the high confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious database administrator or compromised high-privilege DPA account, operating from the internal management network, injects a JavaScript payload into a persistent DPA field such as an alert definition, dashboard label, or annotation. When a legitimate DPA user subsequently navigates to the page rendering that field, their browser silently executes the script, which could exfiltrate their session cookie to an attacker-controlled endpoint, enabling session hijacking without further credentials.
Remediation Upgrade SolarWinds Database Performance Analyzer to version 2026.2 or later, as indicated by the DPA 2026.2 release notes available at https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2026-2_release_notes.htm; confirm the exact patched version via the vendor advisory at https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28322. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy