Is CVE-2026-28318 exploitable?

Yes. CVE-2026-28318 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning it is confirmed exploited in the wild.

Is CVE-2026-28318 a false positive?

No practitioners have marked CVE-2026-28318 a false positive so far (1 verdict).

How do I remediate CVE-2026-28318?

Practitioners have shared remediation steps for CVE-2026-28318. See the remediation notes on this page.

CVE-2026-28318

Uncontrolled Resource Consumption: is CVE-2026-28318real, exploitable, or a false positive? Here's the community verdict.

☆ Watch

High · CVSS 7.5EPSS 1.1%CISA KEVCWE-400 · Uncontrolled Resource Consumption

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update

References

NVD MITRE CVE.org CISA KEV

Published Jun 4, 2026

Embed this verdict

Markdown

[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2026-28318/badge.svg)](https://www.truepositive.app/cve/CVE-2026-28318)

HTML

<a href="https://www.truepositive.app/cve/CVE-2026-28318"><img src="https://www.truepositive.app/cve/CVE-2026-28318/badge.svg" alt="TruePositive verdict for CVE-2026-28318"></a>

Live badge that updates automatically as the community verdict changes.

Community ground truth

In your experience, is this finding real and exploitable?

1 verdict

Not a real issue

Includes TruePositive's curated baseline from public sources. Community verdicts accrue on top.

No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.

Community real-world severity: High (High 1) vs CVSS base score 7.5

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal. Notes are the evidence and fixes behind them.

0
Field note · TruePositive EditorialCurated
SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability — SolarWinds Serv-U contains an uncontrolled resource consumption vulnerability that allows specially crafted POST requests using the Content-Encoding: deflate header to crash the Serv-U service without authentication. Listed in the CISA KEV catalog (added 2026-06-05) — confirmed exploited in the wild, not theoretical. FIRST EPSS puts the chance of exploitation in the next 30 days at ~1%. Treat it as real and prioritize remediation over triage.
0
Remediation · TruePositive EditorialCurated
Required action for SolarWinds Serv-U: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. CISA set a federal remediation due date of 2026-06-19. After patching, verify the vulnerable path is no longer reachable before closing the finding.

Add a field note or remediationoptional

Same weakness: CWE-400 · Uncontrolled Resource Consumption.

CVE-2026-28318

Community ground truth

Field notes & remediation

Related CVEs