Ideagen DevonWay CVE-2026-22587
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the 'Reports' page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS.
AnalysisAI
Ideagen DevonWay is vulnerable to stored cross-site scripting in the Reports page, allowing authenticated attackers to inject malicious scripts that execute when other users view affected reports. This vulnerability impacts all users with access to DevonWay reports and enables session hijacking, credential theft, or malware distribution. No patch is currently available; versions 2.62.4 and 2.62 LTS are noted as fixed versions.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the 'Reports' page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS.
Affected ProductsAI
Ideagen DevonWay contains a stored cross site scripting vulnerability
RemediationAI
Fixed in version 2.62.4. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today