Powershell Universal
Monthly
PowerShell Universal versions before 2026.1.4 contain an improper input validation vulnerability in the apps and endpoints configuration system that allows authenticated users with creation or modification permissions to inject malicious URL paths that override existing application or system routes. This vulnerability can result in unintended request routing where legitimate traffic is redirected to attacker-controlled endpoints, as well as denial of service conditions through route conflicts. The vulnerability requires high-level authentication privileges (PR:H) but has been formally documented in the ENISA EUVD database (EUVD-2026-12636) and poses a real risk to multi-tenant PowerShell Universal deployments where administrative controls may not be strictly enforced.
PowerShell Universal before version 2026.1.4 contains insufficient authorization validation on gRPC endpoints, allowing any authenticated user to bypass role-based access controls and execute privileged operations. An attacker with valid credentials can exploit this to read sensitive data, modify or delete resources, and disrupt service availability. No patch is currently available.
PowerShell Universal versions before 4.5.6 and 5.6.13 contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the network interface, affecting confidentiality and integrity of user sessions. An attacker can exploit this with user interaction to steal sensitive information or perform actions on behalf of affected users. No patch is currently available for this vulnerability.
PowerShell Universal versions before 2026.1.4 contain an improper input validation vulnerability in the apps and endpoints configuration system that allows authenticated users with creation or modification permissions to inject malicious URL paths that override existing application or system routes. This vulnerability can result in unintended request routing where legitimate traffic is redirected to attacker-controlled endpoints, as well as denial of service conditions through route conflicts. The vulnerability requires high-level authentication privileges (PR:H) but has been formally documented in the ENISA EUVD database (EUVD-2026-12636) and poses a real risk to multi-tenant PowerShell Universal deployments where administrative controls may not be strictly enforced.
PowerShell Universal before version 2026.1.4 contains insufficient authorization validation on gRPC endpoints, allowing any authenticated user to bypass role-based access controls and execute privileged operations. An attacker with valid credentials can exploit this to read sensitive data, modify or delete resources, and disrupt service availability. No patch is currently available.
PowerShell Universal versions before 4.5.6 and 5.6.13 contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the network interface, affecting confidentiality and integrity of user sessions. An attacker can exploit this with user interaction to steal sensitive information or perform actions on behalf of affected users. No patch is currently available for this vulnerability.