CVE-2026-9246

CVE Database · CVE-2026-9246

CVE-2026-9246

· MEDIUMAnalyzed

CVSS v3.1

4.3

EPSS

0.15%

Published

May 22, 2026

Modified

May 22, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Weaknesses (CWE)

CWE-862

Affected Products (2)

devolutions · devolutions_server (up to 2025.3.22.0)vulnerable

devolutions · devolutions_server (up to 2026.1.19.0)vulnerable

References (1)

https://devolutions.net/security/advisories/DEVO-2026-0013/

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs