📦

serv-u

Vendor: solarwinds

Login to add this product to WatchStack
Actively Exploited 4 CISA KEV List
PoC / Exploits 4 Code Available
Total RCEs 2 Remote Access
Total CVEs 54 Total Indexed
Avg. EPSS 8.57% Exploit Prob.
Latest CVE CVE-2026-28318 Jun 04

Security Vulnerability Index

Page 4 / 6
5.4 CVSS
CVE-2020-35482

SolarWinds Serv-U before 15.2.2 allows authenticated reflected XSS.

EPSS: 4.26%
9.8 CVSS
CVE-2020-35481

SolarWinds Serv-U before 15.2.2 allows Unauthenticated Macro Injection.

EPSS: 4.46%
5.4 CVSS
CVE-2020-28001

SolarWinds Serv-U before 15.2.2 allows Authenticated Stored XSS.

EPSS: 1.63%
6.5 CVSS
CVE-2020-27994

SolarWinds Serv-U before 15.2.2 allows Authenticated Directory Traversal.

EPSS: 1.89%
7.5 CVSS
CVE-2020-15576

SolarWinds Serv-U File Server before 15.2.1 allows information disclosure via an HTTP response.

EPSS: 2.91%
6.1 CVSS
CVE-2020-15575

SolarWinds Serv-U File Server before 15.2.1 allows XSS as demonstrated by Tenable Scan, aka Case Number 00484194.

EPSS: 3.32%
7.5 CVSS
CVE-2020-15574

SolarWinds Serv-U File Server before 15.2.1 mishandles the Same-Site cookie attribute, aka Case Number 00331893.

EPSS: 2.91%
6.1 CVSS
CVE-2020-15573

SolarWinds Serv-U File Server before 15.2.1 has a "Cross-script vulnerability," aka Case Numbers 00041778 and 00306421.

EPSS: 3.32%
6.5 CVSS
CVE-2018-10241

A denial of service vulnerability in SolarWinds Serv-U before 15.1.6 HFv1 allows an authenticated user to crash the application (with a NULL pointer dereference) via a specially crafted URL beginning with the /Web%20Client/ substring.

EPSS: 1.47%
7.3 CVSS
CVE-2018-10240

SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a low-entropy session token that can be included in requests to the application as a URL parameter in lieu of a session cookie. This session token's value can be brute-forced by an attacker to obtain the corresponding session cookie and hijack the user's session.

EPSS: 1.36%