Vendor CVEs
Webhelpdesk
All CVEs
27 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-28987 | 0.23 | — | 0.93 | KEV | Aug 21, 2024 | The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data. | ||
| CVE-2025-40551 | 0.22 | — | 0.84 | KEV | Jan 28, 2026 | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | ||
| CVE-2025-40536 | 0.21 | — | 0.82 | KEV | Jan 28, 2026 | SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality. | ||
| CVE-2024-28986 | 0.19 | — | 0.85 | KEV | Aug 13, 2024 | SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been… | ||
| CVE-2025-26399 | 0.14 | — | 0.88 | KEV | Sep 23, 2025 | SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which… | ||
| CVE-2025-40554 | 0.01 | — | 0.58 | Jan 28, 2026 | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk. | |||
| CVE-2025-40553 | 0.01 | — | 0.60 | Jan 28, 2026 | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | |||
| CVE-2025-40552 | 0.01 | — | 0.50 | Jan 28, 2026 | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication. | |||
| CVE-2024-28988 | 0.01 | — | 0.37 | Sep 1, 2025 | SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability was found by the ZDI team after researching a previous… | |||
| CVE-2025-40537 | 0.00 | — | 0.01 | Jan 28, 2026 | SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. | |||
| CVE-2025-26400 | 0.00 | — | 0.00 | Jul 29, 2025 | SolarWinds Web Help Desk was reported to be affected by an XML External Entity Injection (XXE) vulnerability that could lead to information disclosure. A valid, low-privilege access is required unless the attacker had access to the local server to modify configuration files. | |||
| CVE-2024-28989 | 0.00 | — | 0.00 | Feb 11, 2025 | SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive information from the software. | |||
| CVE-2024-45709 | 0.00 | — | 0.00 | Dec 10, 2024 | SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires the software be installed on Linux and configured to use non-default development/test mode making exposure to the vulnerability very limited. | |||
| CVE-2021-35251 | 0.00 | — | 0.01 | Mar 9, 2022 | Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation. | |||
| CVE-2021-35232 | 0.00 | — | 0.00 | Dec 27, 2021 | Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password… | |||
| CVE-2021-35243 | 0.00 | — | 0.01 | Dec 23, 2021 | The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method… | |||
| CVE-2021-32076 | 0.00 | — | 0.01 | Aug 26, 2021 | Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-privileged IP address network range or loopback address by… | |||
| CVE-2019-16961 | 0.00 | — | 0.01 | Jan 15, 2021 | SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name. | |||
| CVE-2019-16954 | 0.00 | — | 0.01 | Jan 6, 2021 | SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in a Help Request ticket. | |||
| CVE-2019-16960 | 0.00 | — | 0.01 | Jan 4, 2021 | SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field. | |||
| CVE-2019-16956 | 0.00 | — | 0.02 | Jan 4, 2021 | SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket. | |||
| CVE-2019-16959 | 0.00 | — | 0.02 | Dec 21, 2020 | SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket. | |||
| CVE-2019-16955 | 0.00 | — | 0.02 | Dec 18, 2020 | SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request. | |||
| CVE-2019-16957 | 0.00 | — | 0.01 | Dec 18, 2020 | SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account. | |||
| CVE-2019-16958 | 0.00 | — | 0.01 | Dec 1, 2020 | Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name. | |||
| CVE-2009-1261 | 0.00 | — | 0.01 | Apr 7, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Web Help Desk 9.1.22 (evaluation version) allow remote attackers to inject arbitrary web script or HTML via the (1) Report Name, (2) Asset No., and (3) Full Name fields in a Models action. NOTE: the provenance of this… | |||
| CVE-2009-0303 | 0.00 | — | 0.01 | Jan 27, 2009 | Cross-site scripting (XSS) vulnerability in Web Help Desk before 9.1.18 allows remote attackers to inject arbitrary web script or HTML via vectors related to "encoded JavaScript" and Helpdesk.woa. |
- risk 0.23cvss —epss 0.93
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
- risk 0.22cvss —epss 0.84
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
- risk 0.21cvss —epss 0.82
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
- risk 0.19cvss —epss 0.85
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been…
- risk 0.14cvss —epss 0.88
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which…
- CVE-2025-40554Jan 28, 2026risk 0.01cvss —epss 0.58
SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.
- CVE-2025-40553Jan 28, 2026risk 0.01cvss —epss 0.60
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
- CVE-2025-40552Jan 28, 2026risk 0.01cvss —epss 0.50
SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.
- CVE-2024-28988Sep 1, 2025risk 0.01cvss —epss 0.37
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability was found by the ZDI team after researching a previous…
- CVE-2025-40537Jan 28, 2026risk 0.00cvss —epss 0.01
SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions.
- CVE-2025-26400Jul 29, 2025risk 0.00cvss —epss 0.00
SolarWinds Web Help Desk was reported to be affected by an XML External Entity Injection (XXE) vulnerability that could lead to information disclosure. A valid, low-privilege access is required unless the attacker had access to the local server to modify configuration files.
- CVE-2024-28989Feb 11, 2025risk 0.00cvss —epss 0.00
SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive information from the software.
- CVE-2024-45709Dec 10, 2024risk 0.00cvss —epss 0.00
SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires the software be installed on Linux and configured to use non-default development/test mode making exposure to the vulnerability very limited.
- CVE-2021-35251Mar 9, 2022risk 0.00cvss —epss 0.01
Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation.
- CVE-2021-35232Dec 27, 2021risk 0.00cvss —epss 0.00
Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password…
- CVE-2021-35243Dec 23, 2021risk 0.00cvss —epss 0.01
The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method…
- CVE-2021-32076Aug 26, 2021risk 0.00cvss —epss 0.01
Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-privileged IP address network range or loopback address by…
- CVE-2019-16961Jan 15, 2021risk 0.00cvss —epss 0.01
SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name.
- CVE-2019-16954Jan 6, 2021risk 0.00cvss —epss 0.01
SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in a Help Request ticket.
- CVE-2019-16960Jan 4, 2021risk 0.00cvss —epss 0.01
SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field.
- CVE-2019-16956Jan 4, 2021risk 0.00cvss —epss 0.02
SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket.
- CVE-2019-16959Dec 21, 2020risk 0.00cvss —epss 0.02
SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket.
- CVE-2019-16955Dec 18, 2020risk 0.00cvss —epss 0.02
SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request.
- CVE-2019-16957Dec 18, 2020risk 0.00cvss —epss 0.01
SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account.
- CVE-2019-16958Dec 1, 2020risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name.
- CVE-2009-1261Apr 7, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Web Help Desk 9.1.22 (evaluation version) allow remote attackers to inject arbitrary web script or HTML via the (1) Report Name, (2) Asset No., and (3) Full Name fields in a Models action. NOTE: the provenance of this…
- CVE-2009-0303Jan 27, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Web Help Desk before 9.1.18 allows remote attackers to inject arbitrary web script or HTML via vectors related to "encoded JavaScript" and Helpdesk.woa.