CVE-2025-26395

Description

SolarWinds Observability Self-Hosted was susceptible to a cross-site scripting (XSS) vulnerability due to an unsanitized field in the URL. The attack requires authentication using an administrator-level account and user interaction is required.

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Affected products

SolarWinds / SolarWinds Observability Self-Hosted2025.1.1 and previous versions – 2025.1.1 and previous versions

References

VENDOR_ADVISORYhttps://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26395
MISChttps://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2025-2_release_notes.htm