Description
Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13.
Published: 2026-01-07
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting in Devolutions PowerShell Universal that could enable attacker‑supplied script execution or defacement
Action: Patch
AI Analysis

Impact

A cross‑site scripting flaw allows an attacker to inject arbitrary script into the web UI of Devolutions PowerShell Universal. The vulnerability is a classic CWE‑79 weakness, and if exploited it can enable client‑side code execution or visual defacement of the application interface. These consequences are inferred from the nature of XSS and are not explicitly detailed in the vendor advisory.

Affected Systems

The issue is present in PowerShell Universal versions prior to 4.5.6 and prior to 5.6.13, as identified by the vendor advisory and the product’s CPE entry.

Risk and Exploitability

The CVSS score of 6.1 denotes moderate severity. The EPSS probability is less than 1 %, indicating a low likelihood of widespread exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog, further suggesting it has not yet been actively targeted. The likely attack vector is a web‑based one, inferred from the nature of XSS in a web UI, though the advisory does not explicitly state the method of delivery.

Generated by OpenCVE AI on April 18, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch that updates PowerShell Universal to version 4.5.6 or newer, or to 5.6.13 or newer
  • Limit web access to administrators and restrict exposure of the web UI to trusted networks
  • Implement a strict Content Security Policy (CSP) on the PowerShell Universal web interface to mitigate the impact of any remaining script injection attempts

Generated by OpenCVE AI on April 18, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Devolutions PowerShell Universal

Fri, 30 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Ironmansoftware
Ironmansoftware powershell Universal
CPEs cpe:2.3:a:ironmansoftware:powershell_universal:*:*:*:*:*:*:*:*
Vendors & Products Ironmansoftware
Ironmansoftware powershell Universal

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions powershell Universal
Vendors & Products Devolutions
Devolutions powershell Universal

Wed, 07 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Description Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13.
Weaknesses CWE-79
References

Subscriptions

Devolutions Powershell Universal
Ironmansoftware Powershell Universal
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-01-07T17:21:44.829Z

Reserved: 2026-01-05T18:08:41.762Z

Link: CVE-2026-0618

cve-icon Vulnrichment

Updated: 2026-01-07T17:21:39.286Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T17:16:02.127

Modified: 2026-01-30T01:41:53.137

Link: CVE-2026-0618

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses