{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3563", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-03-04T19:53:50.594Z", "datePublished": "2026-03-17T19:15:37.820Z", "dateUpdated": "2026-03-17T20:04:00.419Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-03-17T19:15:37.820Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1289", "description": "CWE-1289 Improper validation of unsafe equivalence in input", "type": "CWE"}]}], "affected": [{"vendor": "Devolutions", "product": "PowerShell Universal", "versions": [{"status": "affected", "version": "2026.1.0", "lessThan": "2026.1.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper input validation in the apps and endpoints configuration in PowerShell Universal before 2026.1.4 allows an authenticated user with permissions to create or modify Apps or Endpoints to override existing application or system routes, resulting in unintended request routing and denial of service via a conflicting URL path.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div><div>Improper input validation in the apps and endpoints configuration in PowerShell Universal before 2026.1.4 allows an authenticated user with permissions to create or modify Apps or Endpoints to override existing application or system routes, resulting in unintended request routing and denial of service via a conflicting URL path.</div></div></div>"}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0008"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T20:03:34.884955Z", "id": "CVE-2026-3563", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T20:04:00.419Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3563", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T20:03:34.884955Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T20:03:56.949Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "PowerShell Universal", "versions": [{"status": "affected", "version": "2026.1.0", "lessThan": "2026.1.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0008"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Improper input validation in the apps and endpoints configuration in PowerShell Universal before 2026.1.4 allows an authenticated user with permissions to create or modify Apps or Endpoints to override existing application or system routes, resulting in unintended request routing and denial of service via a conflicting URL path.", "supportingMedia": [{"type": "text/html", "value": "<div><div><div>Improper input validation in the apps and endpoints configuration in PowerShell Universal before 2026.1.4 allows an authenticated user with permissions to create or modify Apps or Endpoints to override existing application or system routes, resulting in unintended request routing and denial of service via a conflicting URL path.</div></div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1289", "description": "CWE-1289 Improper validation of unsafe equivalence in input"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-03-17T19:15:37.820Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3563", "state": "PUBLISHED", "dateUpdated": "2026-03-17T20:04:00.419Z", "dateReserved": "2026-03-04T19:53:50.594Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-03-17T19:15:37.820Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ironmansoftware:powershell_universal:*:*:*:*:*:*:*:*", "matchCriteriaId": "7031D7B5-ECB2-458C-A64E-8F49BE50B76E", "versionEndExcluding": "2026.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper input validation in the apps and endpoints configuration in PowerShell Universal before 2026.1.4 allows an authenticated user with permissions to create or modify Apps or Endpoints to override existing application or system routes, resulting in unintended request routing and denial of service via a conflicting URL path."}, {"lang": "es", "value": "Validaci\u00f3n de entrada incorrecta en la configuraci\u00f3n de aplicaciones y endpoints en PowerShell Universal anterior a 2026.1.4 permite a un usuario autenticado con permisos para crear o modificar aplicaciones o endpoints anular rutas de aplicaci\u00f3n o del sistema existentes, lo que resulta en un enrutamiento de solicitudes no intencionado y denegaci\u00f3n de servicio a trav\u00e9s de una ruta de URL en conflicto."}], "id": "CVE-2026-3563", "lastModified": "2026-03-19T13:04:11.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-17T20:16:14.587", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0008"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1289"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0,2026.1.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "PowerShell Universal", "source": "cna", "vendor": "Devolutions"}, "product": "powershell_universal", "vendor": "devolutions"}], "analysis": {"en": {"generated_at": "2026-03-19T15:32:58.146695+00:00", "value": {"mitigation_remediation": ["Apply the vendor-provided patch by upgrading PowerShell Universal to version\u00a02026.1.4 or later.", "Check the vendor\u2019s security advisory (https://devolutions.net/security/advisories/DEVO-2026-0008) for any additional mitigation steps.", "If an immediate upgrade is not possible, review and restrict permissions for users who can create or modify apps and endpoints to prevent unauthorized route overrides.", "Monitor application logs for unexpected route changes or denial-of-service events to detect potential exploitation attempts."], "summary": {"action": "Patch Upgrade", "impact": "Denial of Service via unintended request routing"}, "threat_synthesis": {"affected_systems": "All installations of Devolutions PowerShell\u00a0Universal prior to version 2026.1.4 are affected. The vendor, Devolutions, has identified this as a flaw in all versions before the 2026.1.4 release.", "description_and_impact": "Improper input validation in PowerShell Universal allows an authenticated user with permissions to create or modify apps or endpoints to override existing application or system routes, resulting in unintended request routing and denial of service due to a conflicting URL path. The weakness corresponds to CWE-1289, exposing the application to path manipulation attacks that can disrupt service availability.", "risk_and_exploitability": "The CVSS score is 5.5, indicating a moderate severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user who already has the authority to create or modify apps or endpoints; the attack vector is therefore limited to authorized users within the target environment."}}}}, "created": "2026-03-18T10:42:52.917453+00:00", "title": "Authenticated Route Override in Devolutions PowerShell Universal", "updated": "2026-03-24T10:54:42.192668+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$powershell_universal"]}