CVE-2021-23925

Devolutions Server (prior to version 2020.3) contains a cross-site scripting (XSS) vulnerability in Document entries. The issue affects the Document-type data handling and allows injecting JavaScript code, as described across multiple CVE references (CVE-2021-23925) with CVSS v3.1 base score 6.1 ...

CVE-2021-23924

Summary: Devolutions Server prior to 2020.3 contains an information-disclosure vulnerability where diagnostic files expose sensitive data. Affected product: Devolutions Server (versions before 2020.3). Vulnerability: Exposure of sensitive information in diagnostic files. Root cause stated as info...

CVE-2024-2921

The CVE concerns Devolutions Server (version family up to 2024.1.10.0) with an improper access control flaw in PAM vault permissions. An authenticated user who can access the PAM may reach unauthorized PAM entries due to the misconfigured permissions. Documents consistently describe the affected ...

CVE-2021-23923

The CVE concerns Devolutions Server prior to 2020.3 with a Broken Authentication issue involving Windows domain users. Public documents identify affected software and the vulnerability type but do not provide exploit details, exact root cause, or remediation steps within the supplied sources. Mon...

CVE-2021-23921

CVE-2021-23921 affects Devolutions Server prior to 2020.3. The issue is broken access control on Password List entry elements, as described in the CVE entry and corroborated by NVD/related records. The connected documents confirm the affected software and the underlying flaw (inadequate access re...

CVE-2021-28157

CVE-2021-28157 affects Devolutions Server and Devolutions Server LTS. The vulnerability is a SQL injection in the API endpoint api/security/userinfo/delete that allows an administrative user to execute arbitrary SQL commands. Affected versions are Devolutions Server before 2021.1 and Devolutions ...

CVE-2022-3781

CVE-2022-3781 affects Devolutions Remote Desktop Manager (versions 2022.2.26 and earlier) and Devolutions Server (versions 2022.3.1 and earlier). The root cause is that Dashlane passwords and Keepass Server passwords stored in My Account Settings are not encrypted in the database, allowing databa...

CVE-2024-2915

CVE-2024-2915 affects Devolutions Server up to version 2024.1.6, where a flaw in the PAM JIT elevation feature permits an attacker with PAM JIT access to elevate to unauthorized groups via a specially crafted request. The issue is categorized as improper access control; CVSS v3.1 base score 8.8 (...

CVE-2022-33996

CVE-2022-33996 affects Devolutions Server older than 2022.2. The issue is incorrect permission management where a new user with a preexisting username inherits the permissions of the previous user. Documented impact includes potential confidentiality, integrity, and availability concerns, with CV...

CVE-2025-1231

The CVE-2025-1231 affects Devolutions Server 2024.3.10.0 and earlier, caused by an improper password reset in the PAM module that lets an authenticated user reuse the oracle password after check-in due to a crash in the password reset flow. Exploitation details are not provided in the documents. ...

CVE-2025-2280

In Devolutions Server, CVE-2025-2280 corresponds to improper access control in the Web Extension Restrictions feature, affecting version 2024.3.4.0 and earlier. An authenticated user can bypass the browser extension restriction, per sources describing this vulnerability. The provided documents co...

CVE-2021-28048

The CVE-2021-28048 entry concerns Devolutions Server (versions prior to 2021.1 and Devolutions Server LTS prior to 2020.3.18). The root cause is an overly permissive Cross-Origin Resource Sharing (CORS) policy that allows a remote attacker to leak cross-origin data via a specially crafted HTML pa...

CVE-2023-1603

CVE-2023-1603 affects Devolutions Server 2022.3.13 and earlier: a permission bypass vulnerability in the User vault when importing or synchronizing entries, due to an ID collision that lets users with restricted rights bypass entry permissions. The reported impact is that integrity of access cont...

CVE-2023-1201

CVE-2023-1201 affects Devolutions Server 2022.3.12 and earlier, with an improper access control issue in the secure messages feature. An authenticated attacker who possesses the message UUID can access the data contained in that message, per multiple sources. The CVSSv3.1 base score is 6.5 (Mediu...

CVE-2025-4316

CVE-2025-4316 describes an improper access control in the PAM feature of Devolutions Server that enables a PAM user to self-approve requests, contrary to policy. Affected versions include 2025.1.3.0–2025.1.6.0 and all versions up to 2024.3.15.0. The issue’s root cause is restricted to PAM workflo...

CVE-2024-1764

CVE-2024-1764 affects Devolutions Server 2023.3.14.0 and earlier, due to improper privilege management in the Just-in-time (JIT) elevation module. The root cause is the JIT privilege handling, which allows a user to continue using elevated privileges after expiration under certain circumstances. ...

CVE-2025-2278

CVE-2025-2278 affects Devolutions Server versions prior to or equal to 2024.3.13. The issue is improper access control in the temporary access requests and checkout requests endpoints, enabling an authenticated user to view information about these requests via a known request ID. The provided met...

CVE-2022-2316

CVE-2022-2316 : The connected sources confirm an HTML injection vulnerability in Devolutions Server prior to 2022.2 affecting the handling of secure messages. The root cause is injection of HTML tags into a secure message (including its header, per CNNVD) that can alter how the page renders or ca...

CVE-2024-12196

CVE-2024-12196 affects Devolutions Server 2024.3.7.0 and earlier due to incorrect authorization in the permissions component, allowing an authenticated user to view the password history of an entry without the view password permission. Documents identify the affected software and the underlying c...

CVE-2023-5358

CVE-2023-5358 affects Devolutions Server (versions ≤ 2023.2.10.0). The issue is an improper access control in the Report log filters feature, which allows an attacker to retrieve logs from vaults or entries beyond their permissions via the report request URL query parameters. The public documenta...

CVE-2025-3517

CVE-2025-3517 affects Devolutions Server (versions ≤ 2025.1.5.0) and concerns the PAM JIT elevation feature. The root cause is an incorrect privilege assignment caused by failure to update the internal account SID when updating a username, enabling a PAM user to elevate a previously configured us...

CVE-2024-12148

CVE-2024-12148 affects Devolutions Server 2024.3.6.0 and earlier. The root cause is incorrect authorization in the permission validation component, allowing an authenticated user to access some reporting endpoints. Impact is limited to unauthorized access to reporting data as described in multipl...

CVE-2024-12151

CVE-2024-12151 affects Devolutions Server (versions 2024.3.8.0 and earlier) due to an incorrect permission assignment in the User Migration feature, allowing users to retain their old permission sets. The vulnerable component is the User Migration feature; root cause: incorrect permission handlin...

CVE-2025-4433

CVE-2025-4433 affects Devolutions Server (versions 2025.1.7.0 and earlier). The vulnerability arises from improper access control in User Group Management, enabling a non-administrative user who has both User Management and User Group Management permissions to escalate privileges by adding users ...

CVE-2023-2445

Summary of CVE-2023-2445 (Devolutions Server) Affected software: Devolutions Server, versions 2023.1.1 and earlier. Vulnerability: Improper access control in the Subscriptions Folder path filter. This allows attackers with administrator privileges to retrieve usage information about folders in a ...

CVE-2025-2003

Summary (CVE-2025-2003) : Affected product Devolutions Server (versions 2024.3.12 and earlier) contains an incorrect authorization flaw in PAM vaults that allows an authenticated user to bypass the ‘add in root’ permission. Public sources consistently describe this as an authorization bypass vuln...

CVE-2025-5382

CVE-2025-5382 concerns Devolutions Server (versions ≤ 2025.1.7.0) where improper access control in the user MFA feature lets a user with the user-management permission remove or change administrators’ MFA settings. The vulnerability affects the MFA configuration component and is triggered by insu...

CVE-2024-5072

The CVE-2024-5072 entry describes a vulnerability in Devolutions Server (versions up to 2024.1.11.0) where improper input validation in the PAM JIT elevation feature allows an authenticated user to manipulate LDAP filter queries through a specially crafted request. Documented details include affe...

CVE-2025-2277

CVE-2025-2277 affects Devolutions Server

CVE-2021-36382

CVE-2021-36382 affects Devolutions Server prior to 2021.1.18 and LTS prior to 2020.3.20. The issue allows interception of private keys via a man-in-the-middle attack against the connections/partial endpoint, which accepts plaintext. Affected components and exact root cause are described across mu...

CVE-2023-2118

CVE-2023-2118 affects Devolutions Server 2023.1.5.0 and earlier. The issue is insufficient access control in the support ticket feature, enabling an authenticated attacker to send support tickets and download diagnostic files through specific endpoints. Impact is described as unauthorized access ...

CVE-2024-10971

CVE-2024-10971 affects Devolutions DVLS 2024.3.6 and earlier: an improper access control in the Password History feature allows a malicious authenticated user to obtain sensitive data via faulty permissions. Red Hat and Nessus/Nessus-derived sources corroborate information disclosure in DVLS 2024...

CVE-2024-1898

CVE-2024-1898 : Devolutions Server (versions up to 2023.3.14.0) has improper access control in the notification feature, allowing a low-privileged user to change administrator-configured notification settings. The root cause is access control weakness that lets non-admins modify admin-defined con...

CVE-2024-6512

CVE-2024-6512: Affects Devolutions Server 2024.2.10 and earlier. The issue is an authorization bypass in the PAM access request approval mechanism that lets authenticated users with approval permissions approve their own requests, bypassing security restrictions. Impact described as an integrity ...

CVE-2023-2400

Summary: CVE-2023-2400 affects Devolutions Server 2023.1.8 and earlier. The vulnerability stems from an improper deletion of resources in the user management feature, which allows an administrator to view the vaults of deleted users via database access. Affected software/area: Devolutions Server,...

CVE-2024-3545

CVE-2024-3545 involves Devolutions Remote Desktop Manager (Windows) version 2024.1.20 and earlier, and Devolutions Server version 2024.1.8 and earlier. The vulnerability stems from improper permission handling in the vault offline cache feature, which could allow an attacker with access to the in...

CVE-2024-4846

CVE-2024-4846 describes an authentication bypass in the 2FA feature of Devolutions Server, affected versions 2024.1.14.0 and earlier. An authenticated attacker can sign in as another user without being prompted for 2FA via another browser tab. The available connected documents confirm the vulnera...

CVE-2024-2918

CVE-2024-2918 affects Devolutions Server 2024.1.6 and earlier, via improper input validation in the PAM JIT elevation feature. The issue allows an attacker with access to PAM JIT elevation to forge the displayed group in the PAM JIT elevation checkout request through a specially crafted request. ...

CVE-2023-6264

The CVE-2023-6264 case concerns Devolutions Server (version 2023.3.7.0). The issue is an information leak in the Content-Security-Policy header that allows an unauthenticated attacker to list configured Devolutions Gateways endpoints, i.e., information disclosure with network access (no authentic...

CVE-2026-9245

CVE-2026-9245 describes an improper input validation vulnerability in the external authentication provider flow of Devolutions Server. An unauthenticated remote attacker can coerce victims of Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier to be redirected to an attacker‑con...

CVE-2026-9251

The CVE-2026-9251 issue affects Devolutions Server versions 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier. The vulnerability arises from missing authorization in the entry status management feature, allowing a non-administrator authenticated user to bypass the administrator-enforced Pending ...

CVE-2026-9590

Technical details beyond the description are not publicly provided in the supplied documents. No affected versions, exploit specifics, or remediation steps are confirmed here; monitor for updates from the vendor and standard advisories.

CVE-2026-3224

Affected software: Devolutions Server (versions 2025.3.15.0 and earlier). Vulnerability: Authentication bypass in Microsoft Entra ID (Azure AD) mode, allowing an unauthenticated user to impersonate any Entra ID user via a forged JWT. Documented behavior points to exploitation via the /api/v1/logi...

CVE-2026-9224

CVE-2026-9224 : The issue in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request due to missing authorization in the user profile update feature. Affected: Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and e...

CVE-2026-5171

CVE-2026-5171 describes improper access control in Devolutions Server’s entry activity log feature. An authenticated user with access to an entry but lacking the required permission can retrieve that entry’s activity logs via a crafted API request. Affected: Devolutions Server 2026.1.6.0–2026.1.1...

CVE-2026-8477

CVE-2026-8477 describes an issue in Devolutions Server where the sealed-entry workflow for entry sensitive-data retrieval can be bypassed: an authenticated user with access to a sealed entry could fetch its sensitive data without triggering the unseal audit via a crafted API request. Affected ver...

CVE-2025-8312

CVE-2025-8312 describes a deadlock in Devolutions Server’s PAM automatic check-in feature that can allow a password to stay valid past its intended check-out. Affected versions include Devolutions Server 2025.2.2.0 through 2025.2.5.0 and 2025.1.12.0 and earlier. The root cause is a scheduling-ser...

CVE-2026-7325

The CVE-2026-7325 entry applies to Devolutions Server, with affected versions 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier. The issue is an improper authorization in the Active Directory browsing feature that lets a low-privileged authenticated user obtain authentication material associated...

CVE-2026-9246

CVE-2026-9246 : Improper access control in Devolutions Server’s entry documentation and attachment features allows an authenticated user with vault read access to retrieve documentation and attachments of sealed entries via a crafted API request. Affected: Devolutions Server 2026.1.6.0–2026.1.16....

CVE-2026-9247

CVE-2026-9247: Insufficient logging in Devolutions Server’s entry export feature allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification. Affected: Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier. Root cause: l...