Search

Find a vulnerability

Search criteria

    169 vulnerabilities by Devolutions

    CVE-2026-13437 (GCVE-0-2026-13437)

    Vulnerability from cvelistv5 – Published: 2026-06-29 15:23 – Updated: 2026-06-29 16:25
    VLAI
    Summary
    Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions PowerShell Universal Affected: 2026.2.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13437",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T16:25:18.274687Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T16:25:22.355Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerShell Universal",
              "vendor": "Devolutions",
              "versions": [
                {
                  "status": "affected",
                  "version": "2026.2.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses."
                }
              ],
              "value": "Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-29T15:23:53.472Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0022/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-13437",
        "datePublished": "2026-06-29T15:23:53.472Z",
        "dateReserved": "2026-06-26T15:34:21.331Z",
        "dateUpdated": "2026-06-29T16:25:22.355Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13372 (GCVE-0-2026-13372)

    Vulnerability from cvelistv5 – Published: 2026-06-26 18:22 – Updated: 2026-06-26 19:25
    VLAI
    Summary
    Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name collision with an existing VPN script link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Remote Desktop Manager Affected: 2026.2.5 , < 2026.2.11 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13372",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T19:24:36.727911Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T19:25:32.593Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Remote Desktop Manager",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThan": "2026.2.11",
                  "status": "affected",
                  "version": "2026.2.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user\u0027s context via a display name collision with an existing VPN script link."
                }
              ],
              "value": "Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user\u0027s context via a display name collision with an existing VPN script link."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-706",
                  "description": "CWE-706",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T18:22:02.763Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0021/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-13372",
        "datePublished": "2026-06-26T18:22:02.763Z",
        "dateReserved": "2026-06-25T19:55:53.064Z",
        "dateUpdated": "2026-06-26T19:25:32.593Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12755 (GCVE-0-2026-12755)

    Vulnerability from cvelistv5 – Published: 2026-06-25 13:12 – Updated: 2026-06-25 14:52
    VLAI
    Summary
    Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1284 - Improper validation of specified quantity in input
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.2.4.0 , < 2026.2.7.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 2.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12755",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:52:17.880696Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:52:29.837Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThan": "2026.2.7.0",
                  "status": "affected",
                  "version": "2026.2.4.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper input validation in the PAM AD discovery endpoints in \nDevolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated\n user with the UserGroupsView permission to coerce server-side \nauthentication to an attacker-controlled host, exposing PAM provider \ncredentials as a NTLMv2 challenge-response, via a crafted DomainName \nparameter."
                }
              ],
              "value": "Improper input validation in the PAM AD discovery endpoints in \nDevolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated\n user with the UserGroupsView permission to coerce server-side \nauthentication to an attacker-controlled host, exposing PAM provider \ncredentials as a NTLMv2 challenge-response, via a crafted DomainName \nparameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1284",
                  "description": "CWE-1284 Improper validation of specified quantity in input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T13:12:54.439Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0020/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-12755",
        "datePublished": "2026-06-25T13:12:54.439Z",
        "dateReserved": "2026-06-19T19:30:39.329Z",
        "dateUpdated": "2026-06-25T14:52:29.837Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10696 (GCVE-0-2026-10696)

    Vulnerability from cvelistv5 – Published: 2026-06-17 18:43 – Updated: 2026-06-17 19:39
    VLAI
    Summary
    Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions UniGetUI Affected: 0 , ≤ 2026.2.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10696",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T19:38:53.962259Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T19:39:32.170Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "UniGetUI",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.2.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use of an incorrectly resolved name or reference in the pinget backend \nin Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community \ncatalog contributor to cause an installed application to be correlated \nto an unrelated, attacker-controlled catalog package and to execute an \nattacker-controlled installer via a crafted catalog package whose \nnormalized name is contained as a substring within the installed \napplication name when a user applies the proposed update."
                }
              ],
              "value": "Use of an incorrectly resolved name or reference in the pinget backend \nin Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community \ncatalog contributor to cause an installed application to be correlated \nto an unrelated, attacker-controlled catalog package and to execute an \nattacker-controlled installer via a crafted catalog package whose \nnormalized name is contained as a substring within the installed \napplication name when a user applies the proposed update."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-706",
                  "description": "CWE-706",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-17T18:43:29.276Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0019"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-10696",
        "datePublished": "2026-06-17T18:43:29.276Z",
        "dateReserved": "2026-06-02T16:11:22.453Z",
        "dateUpdated": "2026-06-17T19:39:32.170Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12105 (GCVE-0-2026-12105)

    Vulnerability from cvelistv5 – Published: 2026-06-16 18:28 – Updated: 2026-06-17 15:15
    VLAI
    Summary
    Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Devolutions Server Affected: 0 , < 2026.2.5 (custom)
    Affected: 0 , < 2026.1.21 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12105",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T15:15:37.905452Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T15:15:42.158Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Devolutions Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThan": "2026.2.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2026.1.21",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows\n an authenticated user to access attachments via folder duplication with\n inherited permissions."
                }
              ],
              "value": "Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows\n an authenticated user to access attachments via folder duplication with\n inherited permissions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T18:28:04.584Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0017/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-12105",
        "datePublished": "2026-06-16T18:28:04.584Z",
        "dateReserved": "2026-06-12T14:29:02.015Z",
        "dateUpdated": "2026-06-17T15:15:42.158Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12117 (GCVE-0-2026-12117)

    Vulnerability from cvelistv5 – Published: 2026-06-16 18:25 – Updated: 2026-06-17 15:14
    VLAI
    Summary
    Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Devolutions Server Affected: 2026.2.0 , < 2026.2.5 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12117",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T15:14:42.590567Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T15:14:46.588Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Devolutions Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThan": "2026.2.5",
                  "status": "affected",
                  "version": "2026.2.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper access control in the social login connection endpoint in \nDevolutions Server 2026.2.5 allows an authenticated vault member to \nenumerate social login entry metadata to which they are not authorized \nvia a crafted API request."
                }
              ],
              "value": "Improper access control in the social login connection endpoint in \nDevolutions Server 2026.2.5 allows an authenticated vault member to \nenumerate social login entry metadata to which they are not authorized \nvia a crafted API request."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T18:25:19.018Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0017/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-12117",
        "datePublished": "2026-06-16T18:25:19.018Z",
        "dateReserved": "2026-06-12T14:47:47.711Z",
        "dateUpdated": "2026-06-17T15:14:46.588Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11890 (GCVE-0-2026-11890)

    Vulnerability from cvelistv5 – Published: 2026-06-16 18:24 – Updated: 2026-06-17 15:13
    VLAI
    Summary
    Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Devolutions Server Affected: 0 , < 2026.2.5 (custom)
    Affected: 0 , < 2026.1.21 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11890",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T15:13:28.688219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-17T15:13:34.386Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Devolutions Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThan": "2026.2.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2026.1.21",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper access control in PAM account discovery results in Devolutions \nServer 2026.2.5, 2026.1.21 allows an authenticated user to retrieve \naccount discovery scan results."
                }
              ],
              "value": "Improper access control in PAM account discovery results in Devolutions \nServer 2026.2.5, 2026.1.21 allows an authenticated user to retrieve \naccount discovery scan results."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-882",
                  "description": "CWE-882",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T18:24:00.306Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0017/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-11890",
        "datePublished": "2026-06-16T18:24:00.306Z",
        "dateReserved": "2026-06-10T15:08:21.510Z",
        "dateUpdated": "2026-06-17T15:13:34.386Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12162 (GCVE-0-2026-12162)

    Vulnerability from cvelistv5 – Published: 2026-06-15 23:56 – Updated: 2026-06-16 12:51
    VLAI
    Summary
    Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-297 - Improper Validation of Certificate with Host Mismatch
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Remote Desktop Manager Affected: 2026.2.0 , ≤ 2026.2.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 5.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12162",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-16T12:51:21.356612Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-297",
                    "description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-16T12:51:25.016Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Remote Desktop Manager",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.2.8",
                  "status": "affected",
                  "version": "2026.2.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper host validation in the social login autofill feature in \nDevolutions Remote Desktop Manager 2026.2.8 allows an attacker to \ndisclose stored social login credentials via a crafted web entry \npointing to a provider lookalike domain."
                }
              ],
              "value": "Improper host validation in the social login autofill feature in \nDevolutions Remote Desktop Manager 2026.2.8 allows an attacker to \ndisclose stored social login credentials via a crafted web entry \npointing to a provider lookalike domain."
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-15T23:57:40.218Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0018/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-12162",
        "datePublished": "2026-06-15T23:56:59.391Z",
        "dateReserved": "2026-06-12T19:19:57.058Z",
        "dateUpdated": "2026-06-16T12:51:25.016Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12161 (GCVE-0-2026-12161)

    Vulnerability from cvelistv5 – Published: 2026-06-15 23:55 – Updated: 2026-06-16 15:00
    VLAI
    Summary
    Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials via a crafted alternate username and user interaction with the Elevate Shell action.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Remote Desktop Manager Affected: 0 , ≤ 2026.2.7 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12161",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-16T14:59:54.304221Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-16T15:00:25.327Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Remote Desktop Manager",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.2.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper input validation in the SSH Elevate Shell feature in \nDevolutions Remote Desktop Manager 2026.2.7 allows an authenticated user\n with permission to create or modify a shared SSH entry to execute \narbitrary commands on a remote SSH host using stored elevation \ncredentials via a crafted alternate username and user interaction with \nthe Elevate Shell action."
                }
              ],
              "value": "Improper input validation in the SSH Elevate Shell feature in \nDevolutions Remote Desktop Manager 2026.2.7 allows an authenticated user\n with permission to create or modify a shared SSH entry to execute \narbitrary commands on a remote SSH host using stored elevation \ncredentials via a crafted alternate username and user interaction with \nthe Elevate Shell action."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-15T23:55:24.745Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0018/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-12161",
        "datePublished": "2026-06-15T23:55:24.745Z",
        "dateReserved": "2026-06-12T19:16:15.418Z",
        "dateUpdated": "2026-06-16T15:00:25.327Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8694 (GCVE-0-2026-8694)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:11 – Updated: 2026-06-12 15:17
    VLAI
    Title
    Improper access control on the API documentation endpoint in PowerShell Universal
    Summary
    Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions PowerShell Universal Affected: 0 , ≤ 2026.1.7 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8694",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T15:17:00.643023Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T15:17:07.858Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerShell Universal",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eImproper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.\u003c/p\u003e"
                }
              ],
              "value": "Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:11:33.453Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "name": "DEVO-2026-0016",
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0016/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Improper access control on the API documentation endpoint in PowerShell Universal",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-8694",
        "datePublished": "2026-06-12T14:11:33.453Z",
        "dateReserved": "2026-05-15T15:10:55.558Z",
        "dateUpdated": "2026-06-12T15:17:07.858Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10544 (GCVE-0-2026-10544)

    Vulnerability from cvelistv5 – Published: 2026-06-08 18:26 – Updated: 2026-06-08 19:53
    VLAI
    Summary
    Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command (OS command injection)
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.2.4.0 (custom)
    Affected: 0 , ≤ 2026.1.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10544",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-08T19:53:02.943180Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-08T19:53:47.082Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "status": "affected",
                  "version": "2026.2.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2026.1.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.2.4.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2026.1.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.2.4.0\n  *  Devolutions Server 2026.1.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (OS command injection)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-08T18:26:45.610Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0015/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-10544",
        "datePublished": "2026-06-08T18:26:45.610Z",
        "dateReserved": "2026-06-01T12:42:59.227Z",
        "dateUpdated": "2026-06-08T19:53:47.082Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10787 (GCVE-0-2026-10787)

    Vulnerability from cvelistv5 – Published: 2026-06-08 18:26 – Updated: 2026-06-09 14:36
    VLAI
    Summary
    Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.2.4.0 (custom)
    Affected: 0 , ≤ 2026.1.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10787",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T14:36:45.864456Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T14:36:50.004Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "status": "affected",
                  "version": "2026.2.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2026.1.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.2.4.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2026.1.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.2.4.0\n  *  Devolutions Server 2026.1.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-08T18:26:25.970Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0015/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-10787",
        "datePublished": "2026-06-08T18:26:25.970Z",
        "dateReserved": "2026-06-03T18:28:40.149Z",
        "dateUpdated": "2026-06-09T14:36:50.004Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10786 (GCVE-0-2026-10786)

    Vulnerability from cvelistv5 – Published: 2026-06-08 18:26 – Updated: 2026-06-08 19:44
    VLAI
    Summary
    Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-312 - Cleartext storage of sensitive information
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.2.4.0 (custom)
    Affected: 0 , ≤ 2026.1.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10786",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-08T19:44:26.585230Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-08T19:44:31.961Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "status": "affected",
                  "version": "2026.2.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2026.1.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.2.4.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2026.1.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.2.4.0\n  *  Devolutions Server 2026.1.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext storage of sensitive information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-08T18:26:09.352Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0015/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-10786",
        "datePublished": "2026-06-08T18:26:09.352Z",
        "dateReserved": "2026-06-03T18:28:18.543Z",
        "dateUpdated": "2026-06-08T19:44:31.961Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9522 (GCVE-0-2026-9522)

    Vulnerability from cvelistv5 – Published: 2026-06-02 14:08 – Updated: 2026-06-02 19:37
    VLAI
    Summary
    Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 0 , ≤ 2026.1.19 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9522",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-02T19:36:42.362741Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-02T19:37:10.123Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.19",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003eImproper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations."
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T14:08:07.964Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0014/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-9522",
        "datePublished": "2026-06-02T14:08:07.964Z",
        "dateReserved": "2026-05-25T19:20:49.940Z",
        "dateUpdated": "2026-06-02T19:37:10.123Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9590 (GCVE-0-2026-9590)

    Vulnerability from cvelistv5 – Published: 2026-06-02 14:07 – Updated: 2026-06-02 19:39
    VLAI
    Summary
    Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 0 , ≤ 2026.1.19 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9590",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-02T19:39:39.455258Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-02T19:39:51.159Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.19",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003eImproper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission.\u003c/div\u003e\u003c/div\u003e"
                }
              ],
              "value": "Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission."
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-02T14:07:08.599Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0014/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-9590",
        "datePublished": "2026-06-02T14:07:08.599Z",
        "dateReserved": "2026-05-26T13:26:11.298Z",
        "dateUpdated": "2026-06-02T19:39:51.159Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7325 (GCVE-0-2026-7325)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:30 – Updated: 2026-05-22 16:48
    VLAI
    Summary
    Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Ssrf server side request forgery
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
    Affected: 0 , ≤ 2025.3.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7325",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:48:18.959105Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:48:37.785Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Ssrf server side request forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:30:08.167Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-7325",
        "datePublished": "2026-05-22T15:30:08.167Z",
        "dateReserved": "2026-04-28T14:10:23.612Z",
        "dateUpdated": "2026-05-22T16:48:37.785Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9251 (GCVE-0-2026-9251)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:29 – Updated: 2026-05-22 16:49
    VLAI
    Summary
    Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
    Affected: 0 , ≤ 2025.3.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9251",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:49:25.984797Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:49:29.562Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry\u0027s data via a crafted status change request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry\u0027s data via a crafted status change request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:29:25.378Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-9251",
        "datePublished": "2026-05-22T15:29:25.378Z",
        "dateReserved": "2026-05-21T20:03:12.616Z",
        "dateUpdated": "2026-05-22T16:49:29.562Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5171 (GCVE-0-2026-5171)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:28 – Updated: 2026-05-22 16:50
    VLAI
    Summary
    Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper access control
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
    Affected: 0 , ≤ 2025.3.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5171",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:49:58.273868Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:50:52.887Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry\u0027s activity logs via a crafted API request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry\u0027s activity logs via a crafted API request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper access control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:28:47.611Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-5171",
        "datePublished": "2026-05-22T15:28:47.611Z",
        "dateReserved": "2026-03-30T15:51:43.984Z",
        "dateUpdated": "2026-05-22T16:50:52.887Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8477 (GCVE-0-2026-8477)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:27 – Updated: 2026-05-22 16:51
    VLAI
    Summary
    Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-841 - Improper enforcement of behavioral workflow
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
    Affected: 0 , ≤ 2025.3.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 2.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8477",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:51:27.424786Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:51:48.017Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-841",
                  "description": "CWE-841 Improper enforcement of behavioral workflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:27:34.768Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-8477",
        "datePublished": "2026-05-22T15:27:34.768Z",
        "dateReserved": "2026-05-13T13:25:05.015Z",
        "dateUpdated": "2026-05-22T16:51:48.017Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9246 (GCVE-0-2026-9246)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:26 – Updated: 2026-05-22 16:52
    VLAI
    Summary
    Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
    Affected: 0 , ≤ 2025.3.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9246",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:52:33.214632Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:52:43.390Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:26:51.049Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-9246",
        "datePublished": "2026-05-22T15:26:51.049Z",
        "dateReserved": "2026-05-21T19:43:31.959Z",
        "dateUpdated": "2026-05-22T16:52:43.390Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9224 (GCVE-0-2026-9224)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:25 – Updated: 2026-05-22 16:53
    VLAI
    Summary
    Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
    Affected: 0 , ≤ 2025.3.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9224",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:53:29.042423Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:53:32.882Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:25:33.660Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-9224",
        "datePublished": "2026-05-22T15:25:33.660Z",
        "dateReserved": "2026-05-21T17:54:29.652Z",
        "dateUpdated": "2026-05-22T16:53:32.882Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9249 (GCVE-0-2026-9249)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:24 – Updated: 2026-05-22 16:54
    VLAI
    Summary
    Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-620 - Unverified password change
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
    Affected: 0 , ≤ 2025.3.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 3.1,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9249",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:54:07.834438Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:54:12.579Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unverified password change in Devolutions Server allows an attacker to change a user\u0027s password without providing the previous one via a crafted password change request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Unverified password change in Devolutions Server allows an attacker to change a user\u0027s password without providing the previous one via a crafted password change request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-620",
                  "description": "CWE-620 Unverified password change",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:24:48.376Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-9249",
        "datePublished": "2026-05-22T15:24:48.376Z",
        "dateReserved": "2026-05-21T19:44:50.416Z",
        "dateUpdated": "2026-05-22T16:54:12.579Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9245 (GCVE-0-2026-9245)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:24 – Updated: 2026-05-22 16:54
    VLAI
    Summary
    Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - Url redirection to untrusted site open redirect
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
    Affected: 0 , ≤ 2025.3.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9245",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:54:52.601329Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:54:56.535Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 Url redirection to untrusted site open redirect",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:24:09.107Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-9245",
        "datePublished": "2026-05-22T15:24:09.107Z",
        "dateReserved": "2026-05-21T19:34:42.016Z",
        "dateUpdated": "2026-05-22T16:54:56.535Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9247 (GCVE-0-2026-9247)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:23 – Updated: 2026-05-22 16:55
    VLAI
    Summary
    Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
    Affected: 0 , ≤ 2025.3.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 2.4,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9247",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:55:49.421347Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:55:53.773Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-778",
                  "description": "CWE-778 Insufficient logging",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:23:12.259Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-9247",
        "datePublished": "2026-05-22T15:23:12.259Z",
        "dateReserved": "2026-05-21T19:43:58.365Z",
        "dateUpdated": "2026-05-22T16:55:53.773Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9248 (GCVE-0-2026-9248)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:22 – Updated: 2026-05-22 16:56
    VLAI
    Summary
    Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization bypass through user controlled key
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
    Affected: 0 , ≤ 2025.3.20.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 2.6,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9248",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:56:40.752057Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:56:44.768Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization bypass through user controlled key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:22:31.843Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-9248",
        "datePublished": "2026-05-22T15:22:31.843Z",
        "dateReserved": "2026-05-21T19:44:28.926Z",
        "dateUpdated": "2026-05-22T16:56:44.768Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9223 (GCVE-0-2026-9223)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:21 – Updated: 2026-05-22 16:57
    VLAI
    Summary
    Missing authorization in the vault import feature in Devolutions Server  2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper access control
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 0 , ≤ 2026.1.16.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9223",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:57:42.519071Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:57:45.787Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing authorization in the vault import feature in Devolutions Server\u0026nbsp;\u0026nbsp;2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request."
                }
              ],
              "value": "Missing authorization in the vault import feature in Devolutions Server\u00a0\u00a02026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper access control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:21:39.170Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-9223",
        "datePublished": "2026-05-22T15:21:39.170Z",
        "dateReserved": "2026-05-21T17:45:27.444Z",
        "dateUpdated": "2026-05-22T16:57:45.787Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9047 (GCVE-0-2026-9047)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:18 – Updated: 2026-05-22 16:58
    VLAI
    Summary
    Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-305 - Authentication bypass by primary weakness
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.16.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 7.6,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9047",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:58:25.424737Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:58:40.924Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.16.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user\u0027s password to bypass the user\u0027s multi-factor authentication after the user reconfigures their factors.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user\u0027s password to bypass the user\u0027s multi-factor authentication after the user reconfigures their factors.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-305",
                  "description": "CWE-305 Authentication bypass by primary weakness",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:18:39.966Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-9047",
        "datePublished": "2026-05-22T15:18:39.966Z",
        "dateReserved": "2026-05-19T19:17:26.747Z",
        "dateUpdated": "2026-05-22T16:58:40.924Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5146 (GCVE-0-2026-5146)

    Vulnerability from cvelistv5 – Published: 2026-05-12 17:28 – Updated: 2026-05-13 16:01
    VLAI
    Summary
    Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.15.0 (custom)
    Affected: 0 , ≤ 2025.3.19.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5146",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T16:01:03.701737Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T16:01:19.326Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.15.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.19.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003e\u003cspan\u003e\u003cspan\u003e\u003cp\u003eImproper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation.\u003c/p\u003e\u003cp\u003eThis issue affects the following versions :\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eDevolutions Server 2026.1.6.0 through 2026.1.15.0\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eDevolutions Server 2025.3.19.0 and earlier\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
                }
              ],
              "value": "Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation.\n\n\n\nThis issue affects the following versions :\n\n  *  \n\nDevolutions Server 2026.1.6.0 through 2026.1.15.0\n\n\n  *  \n\nDevolutions Server 2025.3.19.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T17:28:21.264Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0012"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-5146",
        "datePublished": "2026-05-12T17:28:21.264Z",
        "dateReserved": "2026-03-30T13:23:11.124Z",
        "dateUpdated": "2026-05-13T16:01:19.326Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8407 (GCVE-0-2026-8407)

    Vulnerability from cvelistv5 – Published: 2026-05-12 16:16 – Updated: 2026-05-13 16:00
    VLAI
    Summary
    Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.11.0 * Devolutions Server 2025.3.16.0 and earlier
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.11.0 (custom)
    Affected: 0 , ≤ 2025.3.16.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8407",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T16:00:22.663071Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T16:00:40.920Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.11.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.16.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003e\u003cspan\u003e\u003cspan\u003e\u003cp\u003eMissing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints.\u003c/p\u003e\u003cp\u003eThis issue affects the following versions :\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eDevolutions Server 2026.1.6.0 through 2026.1.11.0\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eDevolutions Server 2025.3.16.0 and earlier\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
                }
              ],
              "value": "Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints.\n\n\n\nThis issue affects the following versions :\n\n  *  \n\nDevolutions Server 2026.1.6.0 through 2026.1.11.0\n\n\n  *  \n\nDevolutions Server 2025.3.16.0 and earlier"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T16:16:50.924Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0010/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-8407",
        "datePublished": "2026-05-12T16:16:50.924Z",
        "dateReserved": "2026-05-12T16:10:27.403Z",
        "dateUpdated": "2026-05-13T16:00:40.920Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6706 (GCVE-0-2026-6706)

    Vulnerability from cvelistv5 – Published: 2026-04-28 13:11 – Updated: 2026-04-30 17:39
    VLAI
    Summary
    Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Devolutions Server Affected: 2026.1.6.0 , ≤ 2026.1.14.0 (custom)
    Affected: 0 , ≤ 2025.3.18.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6706",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-28T17:34:47.842468Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T17:36:03.236Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Server",
              "vendor": "Devolutions",
              "versions": [
                {
                  "lessThanOrEqual": "2026.1.14.0",
                  "status": "affected",
                  "version": "2026.1.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2025.3.18.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003e\u003cspan\u003e\u003cspan\u003eImproper\n access control in the vault documentation feature in Devolutions \nServer allows an authenticated attacker to read documentation content \nfrom unauthorized vaults via a crafted API request.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper\n access control in the vault documentation feature in Devolutions \nServer allows an authenticated attacker to read documentation content \nfrom unauthorized vaults via a crafted API request.\n\n\n\nThis issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-30T17:39:14.209Z",
            "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
            "shortName": "DEVOLUTIONS"
          },
          "references": [
            {
              "url": "https://devolutions.net/security/advisories/DEVO-2026-0011"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "assignerShortName": "DEVOLUTIONS",
        "cveId": "CVE-2026-6706",
        "datePublished": "2026-04-28T13:11:44.350Z",
        "dateReserved": "2026-04-20T18:05:39.474Z",
        "dateUpdated": "2026-04-30T17:39:14.209Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }