Skip to main content

Server EUVDEUVD-2026-39386

| CVE-2026-12755 LOW
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-06-25 DEVOLUTIONS GHSA-6vpw-rmvh-qc2w
2.7
CVSS 3.1 · Vendor: DEVOLUTIONS

Severity by source

Vendor (DEVOLUTIONS) PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (DEVOLUTIONS) · only source for this CVE.

CVSS VectorVendor: DEVOLUTIONS

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 15:17 EUVD
CVE Published
Jun 25, 2026 - 13:12 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.

Analysis

Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Server

View all
CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2026-49261 CRITICAL
9.8 Jun 11

OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes b

CVE-2026-57521 MEDIUM POC
5.3 Jun 25

Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user vi

CVE-2026-43638 MEDIUM POC
5.3 May 11

Bitwarden Server prior to v2026.4.1 allows any authenticated user to write ciphers (encrypted credentials) into arbitrar

CVE-2026-4924 HIGH
8.2 Apr 01

Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by re

CVE-2026-4828 HIGH
8.2 Apr 01

Devolutions Server versions 2026.1.11 and earlier allow authenticated remote attackers to bypass multi-factor authentica

CVE-2026-4434 HIGH
8.1 Mar 20

Devolutions Server contains an improper certificate validation vulnerability in its PAM propagation WinRM connections th

CVE-2026-41161 MEDIUM
6.9 May 08

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version

CVE-2025-15316 MEDIUM
6.7 Feb 09

Tanium addressed a local privilege escalation vulnerability in Tanium Server. [CVSS 6.7 MEDIUM]

Share

EUVD-2026-39386 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy