Devolutions 漏洞與 CVE 列表(165)

產品(CPE): — CVE 數: 165

Devolutions 漏洞概覽

彙總 Devolutions 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。

已披露問題常與 跨站腳本、SQL 注入與輸入驗證問題 相關,可能在 生產負載與軟體部署 場景中帶來 工作階段劫持與資料外洩 等暴露風險。

相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。

漏洞分布趨勢(近 24 個月)

顯示 2140165 CVE 數
CVE 摘要 來源 最高 CVSS EPSS % 公開時間 更新時間
CVE-2026-9246 Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier [email protected] 4.3 0.15% 2026-05-22 2026-06-17
CVE-2026-9245 Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier [email protected] 5.0 0.17% 2026-05-22 2026-06-17
CVE-2026-9224 Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier [email protected] 4.3 0.15% 2026-05-22 2026-06-17
CVE-2026-9223 Missing authorization in the vault import feature in Devolutions Server  2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request. [email protected] 4.3 0.15% 2026-05-22 2026-06-17
CVE-2026-9047 Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 [email protected] 7.6 0.21% 2026-05-22 2026-06-17
CVE-2026-8477 Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier [email protected] 2.7 0.23% 2026-05-22 2026-06-17
CVE-2026-7325 Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier [email protected] 7.1 0.22% 2026-05-22 2026-06-17
CVE-2026-5171 Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier [email protected] 4.3 0.21% 2026-05-22 2026-06-17
CVE-2026-5146 Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier [email protected] 4.3 0.16% 2026-05-12 2026-06-17
CVE-2026-8407 Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.11.0 * Devolutions Server 2025.3.16.0 and earlier [email protected] 4.3 0.20% 2026-05-12 2026-06-17
CVE-2026-6706 Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0. [email protected] 6.5 0.20% 2026-04-28 2026-06-17
CVE-2026-5175 Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.  This issue affects Server: from 2026.1.6 through 2026.1.11. [email protected] 5.0 0.25% 2026-04-01 2026-06-17
CVE-2026-4989 Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request. This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17. [email protected] 4.3 0.16% 2026-04-01 2026-06-17
CVE-2026-4927 Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11. [email protected] 6.5 0.22% 2026-04-01 2026-06-17
CVE-2026-4925 Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request. This issue affects Server: from 2026.1.6 through 2026.1.11. [email protected] 5.0 0.19% 2026-04-01 2026-06-17
CVE-2026-4924 Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session token. [email protected] 8.2 0.33% 2026-04-01 2026-06-17
CVE-2026-4829 Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow. [email protected] 5.4 0.17% 2026-04-01 2026-06-17
CVE-2026-4828 Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request. [email protected] 8.2 0.26% 2026-04-01 2026-06-17
CVE-2026-4434 Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification. [email protected] 8.1 0.14% 2026-03-20 2026-06-17
CVE-2026-4396 Improper certificate validation in Devolutions Hub Reporting Service 2025.3.1.1 and earlier allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification. [email protected] 8.1 0.14% 2026-03-18 2026-06-17
cvelogic Threat Intelligence