CVE List – Find High-Risk & Exploited Vulnerabilities

Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.

Assigner (CNA / source):[email protected] Remove this filter

Showing 120 of 90 results
«« First « Prev Page 1 / 5 Next »
CVE Description Max CVSS EPSS % Published Updated
CVE-2026-14536 Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value. 8.8 0.18% 2026-07-06 2026-07-08
CVE-2026-13437 Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses. 6.5 0.26% 2026-06-29 2026-07-02
CVE-2026-13372 Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name collision with an existing VPN script link. 7.2 0.28% 2026-06-26 2026-06-29
CVE-2026-10696 Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update. 7.5 0.27% 2026-06-17 2026-06-24
CVE-2026-12105 Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions. 6.5 0.20% 2026-06-16 2026-06-18
CVE-2026-12161 Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials via a crafted alternate username and user interaction with the Elevate Shell action. 8.8 0.29% 2026-06-15 2026-06-17
CVE-2026-10786 Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier 6.5 0.15% 2026-06-08 2026-06-17
CVE-2026-10544 Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier 6.5 0.20% 2026-06-08 2026-06-17
CVE-2026-9047 Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 7.6 0.21% 2026-05-22 2026-06-17
CVE-2026-7325 Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier 7.1 0.22% 2026-05-22 2026-06-17
CVE-2026-6706 Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0. 6.5 0.20% 2026-04-28 2026-06-17
CVE-2026-4927 Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11. 6.5 0.22% 2026-04-01 2026-06-17
CVE-2026-4924 Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session token. 8.2 0.33% 2026-04-01 2026-06-17
CVE-2026-4828 Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request. 8.2 0.26% 2026-04-01 2026-06-17
CVE-2026-4434 Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification. 8.1 0.14% 2026-03-20 2026-06-17
CVE-2026-4396 Improper certificate validation in Devolutions Hub Reporting Service 2025.3.1.1 and earlier allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification. 8.1 0.14% 2026-03-18 2026-06-17
CVE-2026-4064 Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026.1.4 allows an authenticated user with any valid token to bypass role-based access controls and perform privileged operations — including reading sensitive data, creating or deleting resources, and disrupting service operations — via crafted gRPC requests. 8.3 0.33% 2026-03-17 2026-06-17
CVE-2026-3224 Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT). 9.8 0.51% 2026-03-03 2026-06-17
CVE-2026-3204 Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL. 9.8 0.53% 2026-03-03 2026-06-17
CVE-2026-3130 Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion. 9.8 0.45% 2026-03-03 2026-06-17
«« First « Prev Page 1 / 5 Next »
cvelogic Threat Intelligence