CVE-2026-3221

{"id": "CVE-2026-3221", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2026-02-25T19:43:26.530", "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0004/", "tags": ["Vendor Advisory"], "source": "security@devolutions.net"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@devolutions.net", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "Sensitive\n user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with \naccess to the database to obtain sensitive user \ninformation via direct database access."}, {"lang": "es", "value": "Hay informaci\u00f3n sensible de cuentas de usuario que no est\u00e1 cifrada en la base de datos en Devolutions Server 2025.3.14 y versiones anteriores, lo que permite a un atacante con acceso a la base de datos obtener informaci\u00f3n sensible del usuario a trav\u00e9s del acceso directo a la base de datos."}], "lastModified": "2026-02-28T00:43:23.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DB87A4B-D40B-442F-8BF5-CA935BFADB3D", "versionEndExcluding": "2025.3.15.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@devolutions.net"}