本ページは solarwinds web_help_desk に影響する公開済み CVE(NVD の CPE 経由で関連付け)を列挙します。各行に深刻度指標・概要・公開日が含まれます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-28299 | SolarWinds Web Help Desk is found to be affected by a denial-of-service vulnerability, which when exploited, could cause the Web Help Desk server to crash due to insufficient memory. | [email protected] | 8.2 | 0.06% | 2026-06-02 | 2026-06-04 |
| CVE-2025-40554 | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk. | [email protected] | 9.8 | 6.29% | 2026-01-28 | 2026-02-03 |
| CVE-2025-40553 | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | [email protected] | 9.8 | 17.36% | 2026-01-28 | 2026-02-26 |
| CVE-2025-40552 | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication. | [email protected] | 9.8 | 8.55% | 2026-01-28 | 2026-02-26 |
| CVE-2025-40551 KEV | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | [email protected] | 9.8 | 87.12% | 2026-01-28 | 2026-02-04 |
| CVE-2025-40537 | SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. | [email protected] | 7.5 | 0.02% | 2026-01-28 | 2026-02-03 |
| CVE-2025-40536 KEV | SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality. | [email protected] | 8.1 | 70.38% | 2026-01-28 | 2026-02-13 |
| CVE-2025-26399 KEV | SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986. | [email protected] | 9.8 | 30.53% | 2025-09-23 | 2026-03-10 |
| CVE-2024-28988 | SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability was found by the ZDI team after researching a previous vulnerability and providing this report. The ZDI team was able to discover an unauthenticated attack during their research. We recommend all Web Help Desk customers apply the patch, which is now available. We thank Tre | [email protected] | 9.8 | 7.26% | 2025-09-01 | 2025-11-14 |
| CVE-2025-26400 | SolarWinds Web Help Desk was reported to be affected by an XML External Entity Injection (XXE) vulnerability that could lead to information disclosure. A valid, low-privilege access is required unless the attacker had access to the local server to modify configuration files. | [email protected] | 5.3 | 0.02% | 2025-07-29 | 2025-11-17 |
| CVE-2024-28989 | SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive information from the software. | [email protected] | 5.5 | 0.06% | 2025-02-11 | 2025-02-25 |
| CVE-2024-45709 | SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires the software be installed on Linux and configured to use non-default development/test mode making exposure to the vulnerability very limited. | [email protected] | 5.3 | 0.66% | 2024-12-10 | 2025-02-25 |
| CVE-2024-28987 KEV | The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data. | [email protected] | 9.1 | 94.29% | 2024-08-21 | 2025-10-27 |
| CVE-2024-28986 KEV | SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available. | [email protected] | 9.8 | 80.24% | 2024-08-13 | 2025-10-27 |
| CVE-2021-35251 | Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation. | [email protected] | 5.3 | 0.72% | 2022-03-10 | 2024-11-21 |
| CVE-2021-35243 | The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity. | [email protected] | 5.3 | 0.63% | 2021-12-23 | 2024-11-21 |
| CVE-2021-32076 | Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-privileged IP address network range or loopback address by intercepting the HTTP request and changing the referrer from the public IP address to the loopback. | [email protected] | 5.3 | 0.48% | 2021-08-26 | 2024-11-21 |
| CVE-2019-16961 | SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name. | [email protected] | 5.4 | 2.19% | 2021-01-15 | 2024-11-21 |
| CVE-2019-16954 | SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in a Help Request ticket. | [email protected] | 5.4 | 1.43% | 2021-01-06 | 2024-11-21 |
| CVE-2019-16960 | SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field. | [email protected] | 5.4 | 1.93% | 2021-01-04 | 2024-11-21 |