Impact
SolarWinds Database Performance Analyzer contains a stored cross‑site scripting flaw that, when exploited, allows an attacker to execute arbitrary JavaScript in the victim’s browser. This unintended script execution could lead to session hijacking, credential theft, or other client‑side attacks. The weakness is a failure of input validation as defined by CWE‑20.
Affected Systems
The vulnerability affects all installations of SolarWinds Database Performance Analyzer prior to version 2026.2, for which the vendor recommends upgrading to that release or later.
Risk and Exploitability
The CVSS score of 5.6 indicates medium severity. No EPSS data are available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is the DPA web interface that stores user‑supplied input, meaning the attacker must gain access to an account capable of submitting data that contains malicious script. While exploitation is not local or remote code execution, it remains a client‑side threat that can impact user confidentiality and integrity.
OpenCVE Enrichment