Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.
The page displaying error messages in Devolutions Server does not perform proper validation of input data (CWE-20). An attacker can construct a specially crafted URL that causes arbitrary content controlled by the attacker to be displayed as an error message from the application. This mechanism can be exploited to mislead a user about the status or origin of the message.
An attacker can impersonate system messages from the application, potentially tricking users into taking unwanted actions, disclosing credentials, or trusting false information presented in the Devolutions Server interface.
Devolutions Server should be updated to a version newer than 2025.3.16. Detailed information about available patches can be found in the official security bulletin from the vendor: https://devolutions.net/security/advisories/DEVO-2026-0005
Devolutions Server version 2025.3.16 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDevolutions Server
APPDevolutions≤ 2025.3.16.0
Related vulnerabilities
Devolutions Server: nieuprawnione usuwanie kont PAM przez bulk deletion
Authentication bypass w Devolutions Server przez sfałszowany JWT (Entra ID)
SQL Injection w module remote-sessions Devolutions Server
Devolutions Server – nieautoryzowane zatwierdzanie wniosków o dostęp tymczasowy
Devolutions Server – pominięcie uwierzytelnienia przez brute force kodów awaryjnych