CVE-2026-28298
Stored XSS in SolarWinds Observability Self-Hosted Enables Script Execution
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: SolarWinds
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| solarwinds | observability_self-hosted | to 2026.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to the execution of malicious scripts within the SolarWinds Observability Self-Hosted environment.
This can compromise the confidentiality and integrity of information handled by the application, potentially exposing sensitive data or allowing unauthorized data manipulation.
However, there is no impact on the availability of the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the stored cross-site scripting vulnerability in SolarWinds Observability Self-Hosted, you should upgrade to version 2026.1.1 or later, where the issue has been fixed.
This update addresses the vulnerability by preventing malicious script injection and execution, thereby enhancing the security and integrity of the software.
Can you explain this vulnerability to me?
CVE-2026-28298 is a stored cross-site scripting (XSS) vulnerability affecting SolarWinds Observability Self-Hosted versions 2026.1 and earlier.
This vulnerability allows an attacker to inject malicious scripts that are stored and later executed unintentionally by users of the application.
When exploited, it can lead to unintended script execution within the application, potentially compromising the confidentiality and integrity of data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The stored cross-site scripting (XSS) vulnerability in SolarWinds Observability Self-Hosted can lead to unintended script execution, potentially compromising confidentiality and integrity of data.
Such compromises in confidentiality and integrity could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining data integrity.
However, the provided information does not explicitly discuss the direct effects of this vulnerability on compliance with these standards.