ReportizFlow
Filtered by vendor Devolutions
Subscriptions
Total
164 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-12117 | 1 Devolutions | 1 Devolutions Server | 2026-06-19 | 4.3 Medium |
| Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request. | ||||
| CVE-2026-12105 | 1 Devolutions | 1 Devolutions Server | 2026-06-19 | 6.5 Medium |
| Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions. | ||||
| CVE-2026-12162 | 1 Devolutions | 1 Remote Desktop Manager | 2026-06-18 | 5.5 Medium |
| Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain. | ||||
| CVE-2026-12161 | 1 Devolutions | 1 Remote Desktop Manager | 2026-06-18 | 8.8 High |
| Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials via a crafted alternate username and user interaction with the Elevate Shell action. | ||||
| CVE-2026-11890 | 1 Devolutions | 1 Devolutions Server | 2026-06-18 | 4.3 Medium |
| Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results. | ||||
| CVE-2026-8694 | 2 Devolutions, Ironmansoftware | 2 Powershell Universal, Powershell Universal | 2026-06-15 | 5.3 Medium |
| Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints. | ||||
| CVE-2026-10544 | 1 Devolutions | 2 Devolutions Server, Server | 2026-06-12 | 6.5 Medium |
| Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier | ||||
| CVE-2026-10786 | 1 Devolutions | 2 Devolutions Server, Server | 2026-06-12 | 6.5 Medium |
| Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier | ||||
| CVE-2026-10787 | 1 Devolutions | 2 Devolutions Server, Server | 2026-06-12 | 4.3 Medium |
| Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier | ||||
| CVE-2026-9590 | 1 Devolutions | 2 Devolutions Server, Server | 2026-06-03 | 5.3 Medium |
| Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission. | ||||
| CVE-2026-9522 | 1 Devolutions | 2 Devolutions Server, Server | 2026-06-03 | 5.4 Medium |
| Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations. | ||||
| CVE-2026-5146 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-26 | 4.3 Medium |
| Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier | ||||
| CVE-2026-8407 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-26 | 4.3 Medium |
| Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.11.0 * Devolutions Server 2025.3.16.0 and earlier | ||||
| CVE-2026-9223 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 4.3 Medium |
| Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request. | ||||
| CVE-2026-9251 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 5.4 Medium |
| Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-9245 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 5 Medium |
| Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-9249 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 3.1 Low |
| Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-9248 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 2.6 Low |
| Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-9246 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 4.3 Medium |
| Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||
| CVE-2026-9247 | 1 Devolutions | 2 Devolutions Server, Server | 2026-05-22 | 2.4 Low |
| Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | ||||