Login Sign Up

CVE-2025-26395

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

SolarWinds Observability Self-Hosted has a cross-site scripting (XSS) vulnerability in an unsanitized URL field. This allows authenticated administrators to inject malicious scripts that could compromise other users' sessions or data. Only administrators with access to the vulnerable interface are affected.

💻 Affected Systems

Products:
  • SolarWinds Observability Self-Hosted
Versions: Versions prior to 2025.2
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires administrator authentication and user interaction to exploit.

📦 What is this software?

Observability Self Hosted by Solarwinds

View all CVEs affecting Observability Self Hosted →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious administrator could steal session cookies, perform actions as other users, or deploy malware to other administrators' browsers.

🟠

Likely Case

Limited impact due to requiring administrator authentication and user interaction; most likely used for session hijacking or credential theft among administrators.

🟢

If Mitigated

With proper access controls and administrator vetting, risk is minimal as exploitation requires privileged credentials and user interaction.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires administrator credentials and social engineering to trick users into clicking malicious links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.2

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26395

Restart Required: Yes

Instructions:

1. Download SolarWinds Observability Self-Hosted version 2025.2 from SolarWinds customer portal. 2. Follow standard upgrade procedures documented in SolarWinds documentation. 3. Restart services after upgrade completion.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for URL parameters at the application layer

Not applicable - requires code changes

Content Security Policy

all

Implement strict Content Security Policy headers to mitigate XSS impact

Add 'Content-Security-Policy: default-src 'self'' to web server configuration

🧯 If You Can't Patch

  • Restrict administrator account access to trusted personnel only
  • Implement web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check current version in SolarWinds Observability web interface under Help > About

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Verify version shows 2025.2 or later after upgrade

📡 Detection & Monitoring

Log Indicators:

  • Unusual administrator activity patterns
  • Multiple failed login attempts followed by successful administrator login

Network Indicators:

  • Suspicious JavaScript payloads in URL parameters
  • Unusual outbound connections from administrator workstations

SIEM Query:

source="solarwinds" AND (url="*<script>*" OR url="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-26395
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L
CWE: CWE-79
EPSS Score: 0.03% exploit probability (7.4th percentile)
Published: June 10, 2025
Last Updated: November 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26395, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)