U.S. CISA adds SolarWinds Serv-U flaw to its Known Exploited Vulnerabilities catalog

CISA added SolarWinds Serv‑U CVE‑2026‑28318 (CVSS 7.5) — an unauthenticated DoS triggered by specially crafted HTTP POST requests with Content-Encoding:deflate that crash the Serv‑U service — to its Known Exploited Vulnerabilities catalog. SolarWinds released fixes (Serv‑U 15.5.4 HF1) and mitigation guidance, and CISA directed federal agencies to remediate by June 19, 2026.