CVE-2026-3221

MEDIUM

Devolutions Server <2025.3.14 - Info Disclosure

Title source: llm

Description

Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user information via direct database access.

References (1)

[Vendor Advisory] https://devolutions.net/security/advisories/DEVO-2026-0004/

Scores

CVSS v3 4.9

EPSS 0.0002

EPSS Percentile 3.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-312

Status published

Affected Products (1)

devolutions/devolutions_server < 2025.3.15.0

Timeline

Published Feb 25, 2026

Tracked Since Feb 26, 2026