Description
SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.
Published: 2026-03-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting leading to script execution
Action: Apply Patch
AI Analysis

Impact

SolarWinds Observability Self‑Hosted contains a stored cross‑site scripting flaw that allows an attacker to inject malicious scripts into a page that is subsequently rendered to other users. The vulnerability is categorized as CWE‑79 and can lead to unintended script execution, which may enable attackers to hijack user sessions, deface content, or perform actions on behalf of authenticated users. The impact is confined to a compromised browser context but can be leveraged for broader credential theft or phishing attacks.

Affected Systems

The affected product is SolarWinds Observability Self‑Hosted. No specific version numbers are identified in the available data, so administrators should verify whether their deployment includes the vulnerable component and consult the vendor for the latest update.

Risk and Exploitability

The CVSS base score for this issue is 5.9, indicating medium severity. Exploitability data from EPSS is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The attack vector is inferred to be an authenticated user or attacker who can supply the malicious payload to a location that is stored and later rendered to other users, such as a comment or description field. Without an existing patch, the risk remains medium to high for any environment that allows unauthenticated or low‑privilege users to input content that is displayed to higher‑privileged users.

Generated by OpenCVE AI on March 26, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SolarWinds Observability Self‑Hosted to the latest release that contains the XSS fix
  • If an immediate update is not possible, limit the scope of input fields that are stored and displayed, ensuring they are properly escaped or sanitized
  • Implement a Content Security Policy to restrict uncontrolled script execution
  • Verify that only authenticated and authorized users can access input surfaces that could be used for injection

Generated by OpenCVE AI on March 26, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Solarwinds
Solarwinds observability Self-hosted
Vendors & Products Solarwinds
Solarwinds observability Self-hosted

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.
Title SolarWinds Observability Self-Hosted Stored Cross-Site Scripting Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Solarwinds Observability Self-hosted
cve-icon MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published:

Updated: 2026-03-27T03:55:35.745Z

Reserved: 2026-02-26T14:15:09.403Z

Link: CVE-2026-28298

cve-icon Vulnrichment

Updated: 2026-03-26T15:16:27.129Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T15:16:34.710

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-28298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:36Z

Weaknesses