{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0610", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-01-05T16:11:38.393Z", "datePublished": "2026-01-19T14:31:13.173Z", "dateUpdated": "2026-01-20T15:05:32.415Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Server", "vendor": "Devolutions", "versions": [{"lessThanOrEqual": "2025.3.12", "status": "affected", "version": "2025.3.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SQL Injection vulnerability in remote-sessions in Devolutions Server.<p>This issue affects Devolutions Server 2025.3.1 through 2025.3.12</p>\n\n<br>"}], "value": "SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-01-19T14:31:13.173Z"}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0003/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T15:04:37.682499Z", "id": "CVE-2026-0610", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:05:32.415Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0610", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T15:04:37.682499Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:05:26.871Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "2025.3.1", "versionType": "custom", "lessThanOrEqual": "2025.3.12"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0003/"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12", "supportingMedia": [{"type": "text/html", "value": "SQL Injection vulnerability in remote-sessions in Devolutions Server.<p>This issue affects Devolutions Server 2025.3.1 through 2025.3.12</p>\n\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-01-19T14:31:13.173Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0610", "state": "PUBLISHED", "dateUpdated": "2026-01-20T15:05:32.415Z", "dateReserved": "2026-01-05T16:11:38.393Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-01-19T14:31:13.173Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AB0B4A6-06F7-48B3-8A6A-FF16B36CA000", "versionEndExcluding": "2025.3.14.0", "versionStartIncluding": "2025.3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12"}], "id": "CVE-2026-0610", "lastModified": "2026-02-10T15:18:15.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-19T15:15:50.080", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0003/"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:53:55.425000+00:00", "value": {"mitigation_remediation": ["Apply the latest Devolutions Server update that addresses CVE-2026-0610.", "If a patch cannot be applied immediately, disable or remove the remote\u2011sessions feature until the vulnerability is fixed.", "Restrict access to the remote\u2011session endpoint to trusted IP ranges and enforce strong authentication policies.", "Monitor database logs for anomalous queries that may indicate an attempted injection attack."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "Devolutions Server version 2025.3.1 through 2025.3.12 are affected.", "description_and_impact": "An SQL Injection flaw exists in the remote-sessions component of Devolutions Server, allowing an attacker to inject arbitrary SQL statements into queries that are executed against the server\u2019s database. Classified as CWE-89, this vulnerability can lead to exposure or alteration of sensitive data stored on the server and may compromise the integrity of the database if user input is not properly sanitized. The impact is a significant risk to confidentiality and integrity, potentially allowing a malicious actor to exfiltrate data, modify records, or disrupt application functionality. The CVSS score of 9.8 reflects a severe risk, but the EPSS score of less than 1% indicates that exploitation probability is currently very low.", "risk_and_exploitability": "The vulnerability can be exploited remotely via the remote\u2011sessions interface, requiring network access and valid authentication to submit malicious input. It is listed as a high\u2011severity weakness; however, its EPSS score indicates that exploitation is unlikely at present, and it is not catalogued in CISA KEV. Despite the low exploitation probability, the potential damage is substantial if an attacker successfully injects SQL commands."}}}}, "created": "2026-01-20T08:43:27.879135+00:00", "title": "Remote SQL Injection in Devolutions Server Remote Sessions", "updated": "2026-04-18T16:00:04.288716+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$devolutions_server"], "weaknesses": ["CWE-89"]}