CVE-2026-28298 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting SolarWinds Observability Self-Hosted, specifically versions 2026.1.1 and earlier. The vulnerability results from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored and later executed in the context of authenticated users. Exploitation requires an attacker to have authenticated access and involves user interaction, such as viewing a crafted page or input. Once exploited, the attacker can execute arbitrary scripts within the victim's browser session, potentially leading to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of the user. The CVSS 3.1 base score is 5.9, reflecting medium severity due to the attack vector being adjacent network (AV:A), low attack complexity (AC:L), requiring high privileges (PR:H), and user interaction (UI:R). The impact on confidentiality and integrity is high, while availability is not affected. No public exploits are known at this time, but the vulnerability poses a significant risk to organizations relying on SolarWinds Observability Self-Hosted for monitoring and observability. The lack of a patch link indicates that remediation may still be pending, emphasizing the need for interim mitigations.

The vulnerability can lead to unauthorized script execution within the context of authenticated users, compromising the confidentiality and integrity of sensitive monitoring data and user sessions. Attackers could steal credentials, perform actions on behalf of legitimate users, or manipulate monitoring data, potentially disrupting incident response and operational visibility. Given SolarWinds’ widespread use in enterprise and critical infrastructure environments, exploitation could facilitate lateral movement or persistent footholds within networks. The requirement for authenticated access and user interaction limits the attack surface but does not eliminate risk, especially in environments with many users or where phishing/social engineering could be used to induce interaction. The absence of known exploits reduces immediate risk but does not preclude future attacks. Organizations could face data breaches, operational disruptions, and reputational damage if this vulnerability is exploited.

1. Apply patches promptly once SolarWinds releases an official fix for this vulnerability. 2. Until patches are available, implement strict input validation and output encoding on all user-supplied data within the SolarWinds Observability Self-Hosted environment to prevent script injection. 3. Restrict access to the SolarWinds Observability Self-Hosted interface to trusted users and networks, minimizing exposure. 4. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting SolarWinds interfaces. 5. Educate users about phishing and social engineering risks to reduce the likelihood of malicious link clicks or interactions. 6. Monitor logs for unusual activity or attempts to inject scripts. 7. Enforce least privilege principles for user accounts to limit the impact of compromised credentials. 8. Consider isolating the monitoring environment from general user networks to reduce attack vectors.