CVE-2026-3204 - Vulnerability Details

- Error Message Spoofing via Crafted URL in Devolutions Server

Description

Improper
input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.

Published: 2026-03-03

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Devolutions Server versions 2025.3.16 and earlier have a flaw where improperly validated input in the error message page allows a remote attacker to supply a crafted URL that causes the displayed error message to be replaced with any text the attacker chooses. This can be used to mislead users, facilitate social engineering or obfuscate legitimate errors, potentially impacting the integrity and trust of the information presented by the application.

Affected Systems

The vulnerable product is Devolutions Server, specifically the 2025.3.16 release line and all earlier revisions. Administrators running these versions should immediately review their deployments.

Risk and Exploitability

The vulnerability carries a very high CVSS score of 9.8, indicating critical severity, yet its EPSS is noted as less than 1%, implying a currently low probability of exploitation. The flaw is accessed remotely via a crafted URL and does not require authentication. It is not listed in the CISA KEV catalog. Because the attacker can manipulate what users see, the attack vector is likely to be web-facing and could lead to confusion or phishing attempts, but does not directly compromise data or execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Devolutions

Server

unaffected

Version	Status	Constraints
`0`	affected	≤ 2025.3.16

Configuration 1 [-]

cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Devolutions

Server

100%

Version	Status	Scheme	Platform
`[0,2025.3.16)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Devolutions Server release (2025.3.17 or later) which contains the official fix for improper validation in the error page.
If an upgrade is not immediately possible, configure the server to prevent query parameters from influencing error messages by disabling the message‑override feature or removing the ability to pass custom messages via the URL.
Implement input validation or a web application firewall rule that rejects or sanitizes unexpected query parameters for the error page, reducing the risk of spoofed messages.

Generated by OpenCVE AI on April 16, 2026 at 13:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00073.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://devolutions.net/security/advisories/DEVO-2026-0005

History

Thu, 16 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Title		Error Message Spoofing via Crafted URL in Devolutions Server

Thu, 05 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Devolutions devolutions Server
CPEs		cpe:2.3:a:devolutions:devolutions_server::::::::
Vendors & Products		Devolutions devolutions Server

Wed, 04 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description	Improper input validation in the error message page in Devolutions Server 2025.3.15 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.	Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.

Wed, 04 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 04 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Devolutions Devolutions server
Vendors & Products		Devolutions Devolutions server

Tue, 03 Mar 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Improper input validation in the error message page in Devolutions Server 2025.3.15 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.
Weaknesses		CWE-20
References		https://devolutions.net/security/advisories/DEVO-2026-0005

Subscriptions

Devolutions Devolutions Server Server

MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published: 2026-03-03T21:24:30.044Z

Updated: 2026-03-04T16:36:47.100Z

Reserved: 2026-02-25T14:37:51.415Z

Link: CVE-2026-3204

Vulnrichment

Updated: 2026-03-04T14:45:11.124Z

NVD

Status : Analyzed

Published: 2026-03-03T22:16:29.397

Modified: 2026-03-05T15:04:34.670

Link: CVE-2026-3204

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object