CVE-2026-13372
Last modified
CVE-2026-13372 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name collision with an existing VPN script link.. EPSS estimates a 0.28% chance of exploitation in the next 30 days.
Description
Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name collision with an existing VPN script link.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Devolutions | Remote Desktop Manager | >= 2026.2.5.0, <= 2026.2.12.0 |
References
- https://devolutions.net/security/advisories/DEVO-2026-0021/Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-13372?
How severe is CVE-2026-13372?
How do I fix CVE-2026-13372?
Related CVEs from 2026
- CVE-2026-13357The Houzez Property Feed plugin for WordPress is vulnerable …4.9
- CVE-2026-1336The AI ChatBot with ChatGPT and Content Generator by AYS plu…5.3
- CVE-2026-13368WatchGuard Fireware OS contains a race condition leading to …9.2
- CVE-2026-13369The Ninja Forms - File Uploads plugin for WordPress is vulne…7.5
- CVE-2026-1337Insufficient escaping of unicode characters in query log in …5.4
- CVE-2026-13371An authenticated administrator can trigger a denial-of-servi…6.9
- CVE-2026-13373Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-13374Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-13375Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-13376Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-13377Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-13378The Form Vibes – Database Manager for Forms plugin for WordP…7.2
Are you affected by CVE-2026-13372?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
