SolarWinds Database Performance Analyzer < 2026.2 Stored XSS (CVE-2026-28322)

medium Nessus Plugin ID 324956

Synopsis

An application installed on the remote host is affected by a cross-site scripting vulnerability.

Description

According to its self-reported version, the SolarWinds Database Performance Analyzer (DPA) installation on the remote host is prior to 2026.2. It is, therefore, affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update SolarWinds Database Performance Analyzer to version 2026.2 or later.

See Also

http://www.nessus.org/u?350c69c6

Plugin Details

Severity: Medium

ID: 324956

File Name: solarwinds_dpa_CVE-2026-28322.nasl

Version: 1.1

Type: Local

Agent: windows, macosx, unix

Family: Misc.

Published: 7/3/2026

Updated: 7/3/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.64

CVSS v2

Risk Factor: Medium

Base Score: 5.7

Vector: CVSS2#AV:A/AC:H/Au:M/C:C/I:C/A:N

CVSS Score Source: CVE-2026-28322

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

Vulnerability Information

CPE: cpe:/a:solarwinds:database_performance_analyzer

Required KB Items: installed_sw/SolarWinds Database Performance Analyzer

Patch Publication Date: 6/30/2026

Vulnerability Publication Date: 6/30/2026

Reference Information

CVE: CVE-2026-28322

IAVB: 2026-B-0178