CVE-2026-20805

Desktop Window Manager Information Disclosure Vulnerability

CVSS 5.5 MEDIUMEPSS 5.0%● KEVCWE-200

Vexday Risk Score

43Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 5.5EPSS 5.0%KEV simPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

13 Jan 2026Active exploitation (CISA KEV)

13 Jan 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

In short

Desktop Window Manager can leak sensitive information to someone with local access to your computer. An attacker already on your system could view data they shouldn't have access to.

Technical detail

CWE-200 information disclosure vulnerability in Desktop Window Manager permits an authenticated local attacker to access sensitive data through improper access controls. The vulnerability requires local system access and results in confidentiality breach without requiring user interaction or elevated privileges.

Summary generated and translated by AI from the official description.

Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Affected products

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20805