CVE-2026-28297

Medium

Published: 26 March 2026

Published

26 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 6.1 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 9.0th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

Security Summary

CVE-2026-28297 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting SolarWinds Observability Self-Hosted. Published on 2026-03-26, it carries a CVSS v3.1 base score of 6.1 (AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). When exploited, the vulnerability enables unintended script execution within the affected application.

The attack requires an attacker to have high privileges (PR:H) and access from an adjacent network (AV:A), with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high impacts on confidentiality (C:H) and integrity (I:H), allowing injected scripts to steal sensitive data or manipulate application functionality, while availability remains unaffected (A:N) and scope unchanged (S:U).

SolarWinds has addressed the issue in its security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28297 and release notes for Hybrid Cloud Observability (HCO) 2026.1.1 at https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2026-1-1_release_notes.htm, which detail mitigation and patching instructions.

Details

CWE(s): CWE-79

Affected Products

solarwinds

observability self-hosted

≤ 2026.1.1

MITRE ATT&CK Enterprise Techniques

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1555.003 Credentials from Web Browsers Credential Access

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

attack.mitre.org →

Why these techniques?

Stored XSS enables drive-by compromise via legitimate SolarWinds app (T1189), exploitation of remote web service (T1210), and injected scripts to steal web session cookies (T1539) or credentials from browsers (T1555.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2026-1-1_release_notes.htm
Release Notes · psirt@solarwinds.com
https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28297
Vendor Advisory · psirt@solarwinds.com