{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0618", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-01-05T18:08:41.762Z", "datePublished": "2026-01-07T17:00:21.027Z", "dateUpdated": "2026-01-07T17:21:44.829Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PowerShell Universal", "vendor": "Devolutions", "versions": [{"lessThan": "5.6.13", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "4.5.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-site Scripting vulnerability in Devolutions PowerShell Universal.<p>This issue affects Powershell Universal: before 4.5.6, before 5.6.13.</p>"}], "value": "Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-01-07T17:00:21.027Z"}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0001/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T17:21:21.186020Z", "id": "CVE-2026-0618", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T17:21:44.829Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0618", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T17:21:21.186020Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T17:21:39.286Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "PowerShell Universal", "versions": [{"status": "affected", "version": "0", "lessThan": "5.6.13", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "4.5.6", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0001/"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13.", "supportingMedia": [{"type": "text/html", "value": "Cross-site Scripting vulnerability in Devolutions PowerShell Universal.<p>This issue affects Powershell Universal: before 4.5.6, before 5.6.13.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-01-07T17:00:21.027Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0618", "state": "PUBLISHED", "dateUpdated": "2026-01-07T17:21:44.829Z", "dateReserved": "2026-01-05T18:08:41.762Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-01-07T17:00:21.027Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ironmansoftware:powershell_universal:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FF914AA-9D44-43A2-9C86-6E0AC4D125D5", "versionEndExcluding": "4.5.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:ironmansoftware:powershell_universal:*:*:*:*:*:*:*:*", "matchCriteriaId": "764743E5-62D2-4ACD-B0C2-5D75CBBDF17C", "versionEndExcluding": "5.6.13", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13."}], "id": "CVE-2026-0618", "lastModified": "2026-01-30T01:41:53.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-07T17:16:02.127", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0001/"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:53:53.819862+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch that updates PowerShell Universal to version 4.5.6 or newer, or to 5.6.13 or newer", "Limit web access to administrators and restrict exposure of the web UI to trusted networks", "Implement a strict Content Security Policy (CSP) on the PowerShell Universal web interface to mitigate the impact of any remaining script injection attempts"], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting in Devolutions PowerShell Universal that could enable attacker\u2011supplied script execution or defacement"}, "threat_synthesis": {"affected_systems": "The issue is present in PowerShell Universal versions prior to 4.5.6 and prior to 5.6.13, as identified by the vendor advisory and the product\u2019s CPE entry.", "description_and_impact": "A cross\u2011site scripting flaw allows an attacker to inject arbitrary script into the web UI of Devolutions PowerShell Universal. The vulnerability is a classic CWE\u201179 weakness, and if exploited it can enable client\u2011side code execution or visual defacement of the application interface. These consequences are inferred from the nature of XSS and are not explicitly detailed in the vendor advisory.", "risk_and_exploitability": "The CVSS score of 6.1 denotes moderate severity. The EPSS probability is less than 1\u202f%, indicating a low likelihood of widespread exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog, further suggesting it has not yet been actively targeted. The likely attack vector is a web\u2011based one, inferred from the nature of XSS in a web UI, though the advisory does not explicitly state the method of delivery."}}}}, "created": "2026-01-08T09:48:40.586244+00:00", "title": "Cross\u2011Site Scripting in Devolutions PowerShell Universal", "updated": "2026-04-18T17:00:05.572070+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$powershell_universal"]}