CVE-2026-3221

MEDIUM

Devolutions Server <2025.3.14 - Info Disclosure

Title source: llm

Description

Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user information via direct database access.

References (1)

[Vendor Advisory] https://devolutions.net/security/advisories/DEVO-2026-0004/

Scores

CVSS v3 4.9

EPSS 0.0002

EPSS Percentile 4.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-312

Status published

Products (1)

devolutions/devolutions_server < 2025.3.15.0

Published Feb 25, 2026

Tracked Since Feb 26, 2026