CVE-2025-40536
is CVE-2025-40536real, exploitable, or a false positive? Here's the community ground truth.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
References
Published
Embed this verdict
[](https://www.truepositive.app/cve/CVE-2025-40536)<a href="https://www.truepositive.app/cve/CVE-2025-40536"><img src="https://www.truepositive.app/cve/CVE-2025-40536/badge.svg" alt="TruePositive verdict for CVE-2025-40536"></a>Live badge — updates automatically as the community verdict changes.
Community ground truth
Community verdict
2 verdictsIncludes TruePositive's curated baseline from public sources — community verdicts accrue on top.
to add your verdict.
In line with its CVSS base score.
Field notes & remediation
Verdicts are the quick signal — notes are the evidence and fixes behind them.
- 0
Confirmed exploited in the wild — listed in the CISA KEV catalog (added 2026-02-12). Treat as real and prioritize patching over triage.
Related CVEs
Same weakness — CWE-693.
- CVE-2013-2465CVSS 9.8KEVEPSS 99%
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image channel verification" in 2D.
- CVE-2024-21412CVSS 8.1KEVEPSS 95%
Internet Shortcut Files Security Feature Bypass Vulnerability
- CVE-2013-0431CVSS 5.3KEVEPSS 90%
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.
- CVE-2019-1003030CVSS 9.9KEVEPSS 76%
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.
- CVE-2025-0411CVSS 7KEVEPSS 66%
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.
- CVE-2026-21513CVSS 8.8KEVEPSS 15%
Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.