Home / Vulnerability Intelligence / CVE-2026-3204

CVE-2026-3204 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 5, 2026

Devolutions Server - Reflected XSS

Published: March 3, 2026Updated: March 5, 2026Remote Exploitable

Overview

Devolutions Server <= 2025.3.15 contains a reflected XSS caused by improper input validation in the error message page, letting remote attackers spoof error messages via crafted URLs, exploit requires no special privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 3.8%(Probability of exploitation in next 30 days)

Impact

Remote attackers can spoof error messages, potentially misleading users or executing scripts in their browsers.

Mitigation

Update to the latest version beyond 2025.3.15.

References

https://devolutions.net/security/advisories/DEVO-2026-0005

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 4, 2026

🔴 CVE-2026-3204 - Critical (9.8) Improper input validation in the error message page in Devolutions Server 2025.3.15 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3204/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-3204
Severity: Critical
CVSS Score: 9.8
Type: reflected_xss
Status: confirmed
EPSS: 3.8%
Social Posts: 1

CWE

CWE-20

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.8%Probability of exploitation in the next 30 days