{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3204", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-02-25T14:37:51.415Z", "datePublished": "2026-03-03T21:24:30.044Z", "dateUpdated": "2026-03-04T16:36:47.100Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Server", "vendor": "Devolutions", "versions": [{"lessThanOrEqual": "2025.3.16", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper\n input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL."}], "value": "Improper\n input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-03-04T16:36:47.100Z"}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0005"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T14:44:58.338119Z", "id": "CVE-2026-3204", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T14:45:14.798Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3204", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-04T14:44:58.338119Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T14:45:11.124Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2025.3.16"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0005"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper\n input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.", "supportingMedia": [{"type": "text/html", "value": "Improper\n input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-03-04T16:36:47.100Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3204", "state": "PUBLISHED", "dateUpdated": "2026-03-04T16:36:47.100Z", "dateReserved": "2026-02-25T14:37:51.415Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-03-03T21:24:30.044Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D67D29F-A563-4D85-ACBD-031E6319AD93", "versionEndIncluding": "2025.3.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper\n input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL."}], "id": "CVE-2026-3204", "lastModified": "2026-03-05T15:04:34.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-03T22:16:29.397", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0005"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2025.3.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Server", "source": "cna", "vendor": "Devolutions"}, "product": "server", "vendor": "devolutions"}], "analysis": {"en": {"generated_at": "2026-04-16T13:56:24.733045+00:00", "value": {"mitigation_remediation": ["Apply the latest Devolutions Server release (2025.3.17 or later) which contains the official fix for improper validation in the error page.", "If an upgrade is not immediately possible, configure the server to prevent query parameters from influencing error messages by disabling the message\u2011override feature or removing the ability to pass custom messages via the URL.", "Implement input validation or a web application firewall rule that rejects or sanitizes unexpected query parameters for the error page, reducing the risk of spoofed messages."], "summary": {"action": "Patch", "impact": "Remote Spoofing of Error Messages"}, "threat_synthesis": {"affected_systems": "The vulnerable product is Devolutions Server, specifically the 2025.3.16 release line and all earlier revisions. Administrators running these versions should immediately review their deployments.", "description_and_impact": "Devolutions Server versions 2025.3.16 and earlier have a flaw where improperly validated input in the error message page allows a remote attacker to supply a crafted URL that causes the displayed error message to be replaced with any text the attacker chooses. This can be used to mislead users, facilitate social engineering or obfuscate legitimate errors, potentially impacting the integrity and trust of the information presented by the application.", "risk_and_exploitability": "The vulnerability carries a very high CVSS score of 9.8, indicating critical severity, yet its EPSS is noted as less than 1%, implying a currently low probability of exploitation. The flaw is accessed remotely via a crafted URL and does not require authentication. It is not listed in the CISA KEV catalog. Because the attacker can manipulate what users see, the attack vector is likely to be web-facing and could lead to confusion or phishing attempts, but does not directly compromise data or execution."}}}}, "created": "2026-03-04T14:53:45.531679+00:00", "title": "Error Message Spoofing via Crafted URL in Devolutions Server", "updated": "2026-04-16T14:00:19.482171+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$server"]}