SolarWinds 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は パス処理の欠陥、vendor risk input validation, and vendor risk sql injection に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で ファイル上書き and vendor impact unexpected behavior などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-28318 KEV | SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update | [email protected] | 7.5 | 0.06% | 2026-06-04 | 2026-06-05 |
| CVE-2026-28299 | SolarWinds Web Help Desk is found to be affected by a denial-of-service vulnerability, which when exploited, could cause the Web Help Desk server to crash due to insufficient memory. | [email protected] | 8.2 | 0.06% | 2026-06-02 | 2026-06-04 |
| CVE-2018-25252 | FTP Voyager 16.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by injecting oversized buffer data into the site profile IP field. Attackers can create a malicious site profile containing 500 bytes of repeated characters and paste it into the IP field to trigger a buffer overflow that crashes the FTP Voyager process. | [email protected] | 6.9 | 0.01% | 2026-04-04 | 2026-04-20 |
| CVE-2026-28298 | SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution. | [email protected] | 5.9 | 0.02% | 2026-03-26 | 2026-03-31 |
| CVE-2026-28297 | SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution. | [email protected] | 6.1 | 0.03% | 2026-03-26 | 2026-03-31 |
| CVE-2025-40541 | An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.04% | 2026-02-24 | 2026-02-24 |
| CVE-2025-40540 | A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.06% | 2026-02-24 | 2026-02-24 |
| CVE-2025-40539 | A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.06% | 2026-02-24 | 2026-02-24 |
| CVE-2025-40538 | A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.06% | 2026-02-24 | 2026-02-24 |
| CVE-2025-40554 | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk. | [email protected] | 9.8 | 6.29% | 2026-01-28 | 2026-02-03 |
| CVE-2025-40553 | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | [email protected] | 9.8 | 17.36% | 2026-01-28 | 2026-02-26 |
| CVE-2025-40552 | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication. | [email protected] | 9.8 | 8.55% | 2026-01-28 | 2026-02-26 |
| CVE-2025-40551 KEV | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | [email protected] | 9.8 | 86.97% | 2026-01-28 | 2026-02-04 |
| CVE-2025-40537 | SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. | [email protected] | 7.5 | 0.02% | 2026-01-28 | 2026-02-03 |
| CVE-2025-40536 KEV | SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality. | [email protected] | 8.1 | 67.49% | 2026-01-28 | 2026-02-13 |
| CVE-2025-40549 | A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled. | [email protected] | 9.1 | 0.09% | 2025-11-18 | 2025-12-02 |
| CVE-2025-40548 | A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.06% | 2025-11-18 | 2025-12-02 |
| CVE-2025-40547 | A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | [email protected] | 9.1 | 0.07% | 2025-11-18 | 2025-12-02 |
| CVE-2025-40545 | SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required. | [email protected] | 4.8 | 0.02% | 2025-11-18 | 2025-11-24 |
| CVE-2025-26391 | SolarWinds Observability Self-Hosted XSS Vulnerability. The SolarWinds Platform was susceptible to a XSS vulnerability that affects user-created URL fields. This vulnerability requires authentication from a low-level account. | [email protected] | 5.4 | 0.02% | 2025-11-18 | 2025-11-24 |