CVE-2026-28298

Medium

Published: 26 March 2026

Published

26 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 5.9 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0002 4.5th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28298 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Solarwinds Observability Self-Hosted. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Information input validation directly prevents the storage of malicious XSS payloads by rejecting or sanitizing untrusted inputs before they are processed and stored in SolarWinds Observability Self-Hosted.

SI-15 Information Output Filtering good match

prevent

Information output filtering prevents execution of stored malicious scripts by encoding or escaping outputs rendered in users' browsers when viewing affected content.

SI-2 Flaw Remediation good match

prevent

Flaw remediation ensures timely application of the vendor patch released in Hybrid Cloud Observability 2026.1.1 to eliminate the specific stored XSS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Stored XSS enables arbitrary JavaScript execution in victim browsers (after privileged payload injection), directly facilitating session hijacking and cookie theft in the SolarWinds web app context.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.

Deeper analysisAI

CVE-2026-28298 is a stored cross-site scripting vulnerability (CWE-79) in SolarWinds Observability Self-Hosted. Exploitation of this flaw can lead to unintended script execution. It carries a CVSS v3.1 base score of 5.9, with the vector AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N, indicating medium severity.

An attacker with adjacent network access can exploit this vulnerability if they possess high privileges on the system and can trick a user into performing an action, such as viewing affected content. Successful exploitation enables high-impact compromise of confidentiality and integrity, allowing arbitrary script execution in the victim's browser context without affecting availability.

SolarWinds has addressed this issue in its security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28298 and release notes for Hybrid Cloud Observability 2026.1.1 at https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2026-1-1_release_notes.htm, which detail patching and mitigation steps.

Details

CWE(s): CWE-79

Affected Products

solarwinds

observability self-hosted

≤ 2026.1.1

CVEs Like This One

CVE-2026-28297Same product: Solarwinds Observability Self-Hosted

CVE-2026-4108Same product class: network monitoring / SIEM

CVE-2026-28703Same product class: network monitoring / SIEM

CVE-2026-27655Same product class: network monitoring / SIEM

CVE-2026-28756Same product class: network monitoring / SIEM

CVE-2026-28754Same product class: network monitoring / SIEM

CVE-2026-3879Same product class: network monitoring / SIEM

CVE-2026-4107Same product class: network monitoring / SIEM

CVE-2025-40549Same product class: network monitoring / SIEM

CVE-2025-40551Same product class: network monitoring / SIEM

References

https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2026-1-1_release_notes.htm
Release Notes · psirt@solarwinds.com
https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28298
Vendor Advisory · psirt@solarwinds.com