CVE-2026-13372 | Incorrect link resolution by display name in the custom Powe… | CVSS 7.2 HIGH

Description

Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name collision with an existing VPN script link.

Metadata

CVE ID: CVE-2026-13372
State: PUBLISHED
Assigner: DEVOLUTIONS
Reserved: 2026-06-25 19:55 UTC
Published: 2026-06-26 18:22 UTC
Last updated: 2026-06-26 19:25 UTC
Primary CWE: CWE-706
CWE-706
Vendor / Product: Devolutions / Remote Desktop Manager
Sources: cve.org · NVD

Severity & Metrics

7.2 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Devolutions	Remote Desktop Manager	—	2026.2.5 < 2026.2.11

Weakness (CWE)

CWE	Source	Description
CWE-706	cna	CWE-706

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.2	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References (1)

https://devolutions.net/security/advisories/DEVO-2026-0021/