Powershell Universal
CVE-2026-0618
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13.
AnalysisAI
PowerShell Universal versions before 4.5.6 and 5.6.13 contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the network interface, affecting confidentiality and integrity of user sessions. An attacker can exploit this with user interaction to steal sensitive information or perform actions on behalf of affected users. No patch is currently available for this vulnerability.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Powershell Universal. Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13.
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
More in Powershell Universal
View allThe API endpoints in Ironman PowerShell Universal 3.0.0 through 4.2.0 allow remote attackers to execute arbitrary comman
Escalation of privileges in the Web Server in Ironman Software PowerShell Universal 2.x and 3.x allows an attacker with
PowerShell Universal before version 2026.1.4 contains insufficient authorization validation on gRPC endpoints, allowing
The Web Server in Ironman Software PowerShell Universal v3.x and v2.x allows for directory traversal outside of the conf
Devolutions PowerShell Universal 2026.2.0 leaks serialized App Tokens in plaintext within AI Agent job API responses, en
authentication configuration in PowerShell Universal versions up to 2026.1.3 is affected by cleartext storage of sensit
PowerShell Universal versions before 2026.1.4 contain an improper input validation vulnerability in the apps and endpoin
Unauthenticated remote access to user-defined REST endpoint OpenAPI specifications is possible in Devolutions PowerShell
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today