CRITICAL🇵🇱 Wersja polska

CVE-2026-3204

CVSS 9.8v3.1pub. 2026-03-03upd. 2026-03-05

Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.

🤖 AI Analysis
How it works

The page displaying error messages in Devolutions Server does not perform proper validation of input data (CWE-20). An attacker can construct a specially crafted URL that causes arbitrary content controlled by the attacker to be displayed as an error message from the application. This mechanism can be exploited to mislead a user about the status or origin of the message.

Impact

An attacker can impersonate system messages from the application, potentially tricking users into taking unwanted actions, disclosing credentials, or trusting false information presented in the Devolutions Server interface.

Mitigation & patch

Devolutions Server should be updated to a version newer than 2025.3.16. Detailed information about available patches can be found in the official security bulletin from the vendor: https://devolutions.net/security/advisories/DEVO-2026-0005

Who is affected

Devolutions Server version 2025.3.16 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Devolutions Server

    APP
    Devolutions
    ≤ 2025.3.16.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-3130CRITICAL9.8PL ✓ten sam produkt

Devolutions Server: nieuprawnione usuwanie kont PAM przez bulk deletion

CVE-2026-3224CRITICAL9.8PL ✓ten sam produkt

Authentication bypass w Devolutions Server przez sfałszowany JWT (Entra ID)

CVE-2026-0610CRITICAL9.8PL ✓ten sam produkt

SQL Injection w module remote-sessions Devolutions Server

CVE-2025-11957CRITICAL9.0PL ✓ten sam produkt

Devolutions Server – nieautoryzowane zatwierdzanie wniosków o dostęp tymczasowy

CVE-2025-6523CRITICAL9.5PL ✓ten sam produkt

Devolutions Server – pominięcie uwierzytelnienia przez brute force kodów awaryjnych