Cyber Resilience

CVE-2026-13372

High

Published: 26 June 2026

Published
26 June 2026
Modified
26 June 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 19.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-13372 is a high-severity Use of Incorrectly-Resolved Name or Reference (CWE-706) vulnerability in Devolutions Remote Desktop (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context…

more

via a display name collision with an existing VPN script link.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Devolutions
Remote Desktop
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References