Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-8477

Summary
Assigner-DEVOLUTIONS
Assigner Org ID-bfee16bd-18e6-446c-9a65-f5b2e3d89c23
Published At-22 May, 2026 | 15:27
Updated At-22 May, 2026 | 16:51
Rejected At-
Credits

Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:DEVOLUTIONS
Assigner Org ID:bfee16bd-18e6-446c-9a65-f5b2e3d89c23
Published At:22 May, 2026 | 15:27
Updated At:22 May, 2026 | 16:51
Rejected At:
▼CVE Numbering Authority (CNA)

Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Affected Products
Vendor
DevolutionsDevolutions
Product
Server
Default Status
unaffected
Versions
Affected
  • From 2026.1.6.0 through 2026.1.16.0 (custom)
  • From 0 through 2025.3.20.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-841CWE-841 Improper enforcement of behavioral workflow
Type: CWE
CWE ID: CWE-841
Description: CWE-841 Improper enforcement of behavioral workflow
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://devolutions.net/security/advisories/DEVO-2026-0013/
N/A
Hyperlink: https://devolutions.net/security/advisories/DEVO-2026-0013/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.12.7LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 2.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet

Similar CVEs

3Records found
CVE-2026-3130
Matching Score-6
Assigner-Devolutions Inc.
ShareView Details
Matching Score-6
Assigner-Devolutions Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.02% / 7.07%
||
7 Day CHG~0.00%
Published-03 Mar, 2026 | 21:27
Updated-04 Mar, 2026 | 20:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-841
Improper Enforcement of Behavioral Workflow
CVE-2025-48479
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.5||HIGH
EPSS-0.11% / 29.38%
||
7 Day CHG~0.00%
Published-30 May, 2025 | 04:34
Updated-04 Jun, 2025 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FreeScout Has Business Logic Errors

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the laravel-translation-manager package does not correctly validate user input, enabling the deletion of any directory, given sufficient access rights. This issue has been patched in version 1.8.180.

Action-Not Available
Vendor-freescoutfreescout-help-desk
Product-freescoutfreescout
CWE ID-CWE-841
Improper Enforcement of Behavioral Workflow
CVE-2025-48480
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7||HIGH
EPSS-0.11% / 29.38%
||
7 Day CHG~0.00%
Published-30 May, 2025 | 04:34
Updated-04 Jun, 2025 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FreeScout Has Business Logic Errors

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an authorized user with the administrator role or with the privilege User::PERM_EDIT_USERS can create a user, specifying the path to the user's avatar ../.htaccess during creation, and then delete the user's avatar, resulting in the deletion of the file .htaccess in the folder /storage/app/public. This issue has been patched in version 1.8.180.

Action-Not Available
Vendor-freescoutfreescout-help-desk
Product-freescoutfreescout
CWE ID-CWE-841
Improper Enforcement of Behavioral Workflow
Details not found