Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another users context via a display name collision with an existing VPN script link.
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Remote_desktop_manager | Devolutions | 2026.2.5.0 (including) | 2026.2.12.0 (including) |