Ironmansoftware: >> Powershell Universal >> 2.3.1 Security Vulnerabilities
Improper input validation in the apps and endpoints configuration in PowerShell Universal before 2026.1.4 allows an authenticated user with permissions to create or modify Apps or Endpoints to override existing application or system routes, resulting in unintended request routing and denial of service via a conflicting URL path.
CVSS Score
5.5
EPSS Score
0.0
Published
2026-03-17
Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026.1.4 allows an authenticated user with any valid token to bypass role-based access controls and perform privileged operations — including reading sensitive data, creating or deleting resources, and disrupting service operations — via crafted gRPC requests.
CVSS Score
8.3
EPSS Score
0.0
Published
2026-03-17
The OpenID Connect (OIDC) authentication configuration in PowerShell
Universal before 2026.1.3 stores the OIDC client secret in cleartext in
the .universal/authentication.ps1 script, which allows an attacker with read access to that file to obtain the OIDC client credentials
CVSS Score
6.5
EPSS Score
0.0
Published
2026-02-27
Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-01-07
Escalation of privileges in the Web Server in Ironman Software PowerShell Universal 2.x and 3.x allows an attacker with a valid app token to retrieve other app tokens by ID via an HTTP web request. Patched Versions are 3.5.3, 3.4.7, and 2.12.6.
CVSS Score
8.8
EPSS Score
0.005
Published
2022-11-14