A stored cross‑site scripting vulnerability exists within SolarWinds Observability Self‑Hosted. The flaw enables the insertion of malicious JavaScript that is saved and subsequently delivered to other users who view the affected content. This can result in unintended script execution, exposing users to potential phishing, credential theft, or other client‑side attacks. The weakness originates from an input validation flaw that fails to properly sanitize user input before storage and rendering.

SolarWinds Observability Self‑Hosted is affected. No specific patch or version numbers are provided in the data, but the vulnerability was disclosed in relation to the 2026‑1‑1 release. Users should verify that they are running a version newer than the one identified as vulnerable.

The CVSS score of 5.9 indicates a moderate risk, while the EPSS score of less than 1 % suggests a low chance of active exploitation observed in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, further indicating limited exploitation. The attack vector is inferred to be through the platform’s data entry or configuration interfaces, requiring an attacker to inject malicious payloads that are then stored and rendered to other authenticated users. No additional prerequisites or conditions are detailed, but successful exploitation likely depends on the target’s user permissions.