Cross-Site Scripting Vulnerability in SolarWinds Observability Self-Hosted
CVE-2025-26395

7.1HIGH

Key Information:

Vendor: Solarwinds
Status: Solarwinds Observability Self-hosted
Vendor: CVE Published:; 10 June 2025

What is CVE-2025-26395?

SolarWinds Observability Self-Hosted is vulnerable to cross-site scripting (XSS) attacks, allowing an authenticated attacker with administrator-level access to exploit an unsanitized input field in the URL. Successful exploitation requires user interaction, potentially compromising the security of the application and its users. Users are advised to apply necessary security updates and follow best practices to mitigate risks.

Affected Version(s)

SolarWinds Observability Self-Hosted Windows 2025.1.1 and previous versions

References

https://www.solarwinds.com/trust-center/security-advisori...

https://documentation.solarwinds.com/en/success_center/or...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2025
Vulnerability Reserved
Feb 8, 2025

Credit

SolarWinds would like to thank Shahzin Sajid, Al Sabah Salim, and Shabeer Ali from the QatarEnergyLNG SOC team for reporting on the issue in a responsible manner.

Solarwinds

What is CVE-2025-26395?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit