Search

Find a vulnerability

Search criteria

    46 vulnerabilities found for LXD by Canonical

    CVE-2026-28385 (GCVE-0-2026-28385)

    Vulnerability from nvd – Published: 2026-06-26 16:23 – Updated: 2026-06-26 17:13
    VLAI
    Title
    SSRF via image import from URL allows internal network probing by authenticated users
    Summary
    In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 6.0 , < 6.10 (semver)
    Create a notification for this product.
    Credits
    Babajide Emmanuel Fakile
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28385",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T17:13:30.913771Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T17:13:58.172Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "permissions.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.10",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Babajide Emmanuel Fakile"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon\u0027s network position."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664: Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T16:23:56.456Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "SSRF via image import from URL allows internal network probing by authenticated users",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-3gq2-x4qg-p4g6"
            },
            {
              "name": "doc: update guide to hardening security for LXD",
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/canonical/lxd/pull/18462"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SSRF via image import from URL allows internal network probing by authenticated users"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-28385",
        "datePublished": "2026-06-26T16:23:56.456Z",
        "dateReserved": "2026-02-27T11:06:14.064Z",
        "dateUpdated": "2026-06-26T17:13:58.172Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9640 (GCVE-0-2026-9640)

    Vulnerability from nvd – Published: 2026-06-26 15:50 – Updated: 2026-06-30 03:55
    VLAI
    Title
    LXD Snapshot Import Privilege Escalation Vulnerability
    Summary
    A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 5.21.0 , < 5.21.5 (semver)
    Affected: 5.0.0 , < 5.0.7 (semver)
    Affected: 6.0 , < 6.9 (semver)
    Create a notification for this product.
    Credits
    Miha Purg
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9640",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T03:55:24.628Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-ppq7-4492-5552"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "LXD",
              "platforms": [
                "Linux"
              ],
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "5.21.5",
                  "status": "affected",
                  "version": "5.21.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.0.7",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.9",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Miha Purg"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-153: Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T15:50:38.453Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-ppq7-4492-5552"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18301"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18303"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18304"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to LXD version 6.9 or later, 5.21.5 or later, or 5.0.7 or later."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "LXD Snapshot Import Privilege Escalation Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-9640",
        "datePublished": "2026-06-26T15:50:38.453Z",
        "dateReserved": "2026-05-26T18:31:24.593Z",
        "dateUpdated": "2026-06-30T03:55:24.628Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9639 (GCVE-0-2026-9639)

    Vulnerability from nvd – Published: 2026-06-26 15:39 – Updated: 2026-06-26 16:02
    VLAI
    Title
    Authenticated Denial of Service via Malicious Backup Tarball in LXD
    Summary
    Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL pointer dereference
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 5.21.0 , < 5.21.5 (semver)
    Affected: 6.0 , < 6.9 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9639",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T16:01:50.334142Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T16:02:11.520Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "LXD",
              "platforms": [
                "Linux"
              ],
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "5.21.5",
                  "status": "affected",
                  "version": "5.21.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.9",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476 NULL pointer dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T15:39:04.696Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18320"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18390"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to LXD version 5.21.5 or later, or 6.9 or later."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authenticated Denial of Service via Malicious Backup Tarball in LXD"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-9639",
        "datePublished": "2026-06-26T15:39:04.696Z",
        "dateReserved": "2026-05-26T18:31:05.985Z",
        "dateUpdated": "2026-06-26T16:02:11.520Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12411 (GCVE-0-2026-12411)

    Vulnerability from nvd – Published: 2026-06-26 15:27 – Updated: 2026-06-26 16:02
    VLAI
    Title
    Broken Access Control in Canonical LXD DevLXD API
    Summary
    Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization bypass through User-Controlled key
    • CWE-862 - Missing Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 6.6 , < 6.9 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12411",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T16:02:35.514095Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T16:02:55.284Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "permissions.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.9",
                  "status": "affected",
                  "version": "6.6",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest\u0027s custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-77",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Manipulating User-Controlled Variables"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization bypass through User-Controlled key",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T15:27:55.111Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "Cross-guest volume hijack via DevLXD device patch",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp"
            },
            {
              "name": "Security fixes from the 6.9 release",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18585"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to LXD version 6.9 or later."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Broken Access Control in Canonical LXD DevLXD API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-12411",
        "datePublished": "2026-06-26T15:27:55.111Z",
        "dateReserved": "2026-06-16T15:07:27.771Z",
        "dateUpdated": "2026-06-26T16:02:55.284Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34179 (GCVE-0-2026-34179)

    Vulnerability from nvd – Published: 2026-04-09 09:22 – Updated: 2026-04-09 11:54
    VLAI
    Title
    Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
    Summary
    In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-915 - Improperly controlled modification of Dynamically-Determined object attributes
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 4.12.0 , < 5.0.7 (semver)
    Affected: 5.1.0 , < 5.21.5 (semver)
    Affected: 6.0.0 , < 6.8.0 (semver)
    Create a notification for this product.
    Credits
    Miha Purg
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34179",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T11:54:14.860013Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T11:54:18.487Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "permissions.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "5.0.7",
                  "status": "affected",
                  "version": "4.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.5",
                  "status": "affected",
                  "version": "5.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.8.0",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Miha Purg"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly controlled modification of Dynamically-Determined object attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T09:22:14.693Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "Update of type field in restricted TLS certificate allows privilege escalation to cluster admin",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5"
            },
            {
              "name": "Improve validation on certificate edit",
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/canonical/lxd/pull/17936"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Update of type field in restricted TLS certificate allows privilege escalation to cluster admin"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-34179",
        "datePublished": "2026-04-09T09:22:14.693Z",
        "dateReserved": "2026-03-26T09:24:08.449Z",
        "dateUpdated": "2026-04-09T11:54:18.487Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34178 (GCVE-0-2026-34178)

    Vulnerability from nvd – Published: 2026-04-09 09:18 – Updated: 2026-04-09 11:55
    VLAI
    Title
    Importing a crafted backup leads to project restriction bypass
    Summary
    In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 4.12.0 , < 5.0.7 (semver)
    Affected: 5.1.0 , < 5.21.5 (semver)
    Affected: 6.0.0 , < 6.8.0 (semver)
    Create a notification for this product.
    Credits
    Miha Purg
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34178",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T11:54:57.626476Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T11:55:20.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "permissions.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "5.0.7",
                  "status": "affected",
                  "version": "4.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.5",
                  "status": "affected",
                  "version": "5.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.8.0",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Miha Purg"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T09:18:58.404Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "Importing a crafted backup leads to project restriction bypass",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4"
            },
            {
              "name": "Import: Create backup config from index",
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/canonical/lxd/pull/17921"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Importing a crafted backup leads to project restriction bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-34178",
        "datePublished": "2026-04-09T09:18:58.404Z",
        "dateReserved": "2026-03-26T09:24:08.449Z",
        "dateUpdated": "2026-04-09T11:55:20.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34177 (GCVE-0-2026-34177)

    Vulnerability from nvd – Published: 2026-04-09 09:15 – Updated: 2026-04-09 12:12
    VLAI
    Title
    VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
    Summary
    Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-184 - Incomplete list of disallowed inputs
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 4.12.0 , < 5.0.7 (semver)
    Affected: 5.1.0 , < 5.21.5 (semver)
    Affected: 6.0.0 , < 6.8.0 (semver)
    Create a notification for this product.
    Credits
    Miha Purg
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34177",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T12:12:43.482752Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T12:12:48.251Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "permissions.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "5.0.7",
                  "status": "affected",
                  "version": "4.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.5",
                  "status": "affected",
                  "version": "5.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.8.0",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Miha Purg"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184 Incomplete list of disallowed inputs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T09:15:27.532Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f"
            },
            {
              "name": "lxd: Prevent use of raw.apparmor and raw.qemu.conf when low level options are blocked",
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/canonical/lxd/pull/17909"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-34177",
        "datePublished": "2026-04-09T09:15:27.532Z",
        "dateReserved": "2026-03-26T09:24:08.448Z",
        "dateUpdated": "2026-04-09T12:12:48.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28384 (GCVE-0-2026-28384)

    Vulnerability from nvd – Published: 2026-03-12 14:51 – Updated: 2026-03-13 16:30
    VLAI
    Title
    Authenticated RCE via unsanitized compression_algorithm
    Summary
    An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 6.0 , < 6.7 (semver)
    Affected: 5.21.0 , < 5.21.4 (semver)
    Affected: 5.0.0 , < 5.0.6 (semver)
    Affected: 4.12
    Create a notification for this product.
    Date Public
    2026-03-12 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28384",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-13T16:30:00.719316Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-13T16:30:06.396Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "images.go",
                "instance_backup.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.7",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.0.6",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.12"
                }
              ]
            }
          ],
          "datePublic": "2026-03-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper sanitization of the \u003ctt\u003ecompression_algorithm\u003c/tt\u003e parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10."
                }
              ],
              "value": "An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-12T15:02:57.074Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/commit/043696a13171ace7dd4c2b32d34ce039ab629052"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/commit/7046979645c2ce1b63b2f9e60ddf6cbc4c4b78f9"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/commit/b7b411caf5c4971bfe2386c72128f44d7e2aaf4f"
            },
            {
              "tags": [
                "media-coverage"
              ],
              "url": "https://discourse.ubuntu.com/t/lxd-authenticated-remote-code-execution-fixes-available/78365"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authenticated RCE via unsanitized compression_algorithm"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-28384",
        "datePublished": "2026-03-12T14:51:29.991Z",
        "dateReserved": "2026-02-27T11:06:14.064Z",
        "dateUpdated": "2026-03-13T16:30:06.396Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3351 (GCVE-0-2026-3351)

    Vulnerability from nvd – Published: 2026-03-03 12:49 – Updated: 2026-03-05 17:20
    VLAI
    Title
    Authorization Bypass in LXD GET /1.0/certificates Endpoint
    Summary
    Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 6.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3351",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T14:46:45.446167Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T14:47:00.765Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical/lxd",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "certificates.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-05T17:20:25.645Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r"
            },
            {
              "name": "lxd/certificates: Return only allowed certificates in non-recursive list",
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/canonical/lxd/pull/17738"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authorization Bypass in LXD GET /1.0/certificates Endpoint",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-3351",
        "datePublished": "2026-03-03T12:49:25.034Z",
        "dateReserved": "2026-02-27T16:38:38.974Z",
        "dateUpdated": "2026-03-05T17:20:25.645Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-54293 (GCVE-0-2025-54293)

    Vulnerability from nvd – Published: 2025-10-02 10:43 – Updated: 2025-10-02 15:53
    VLAI
    Title
    Path Traversal in LXD Instance Log File Retrieval
    Summary
    Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 6.0 , < 6.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54293",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T15:29:32.525667Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T15:53:20.364Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-472f-vmf2-pr3h"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links."
                }
              ],
              "value": "Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T10:43:58.246Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-472f-vmf2-pr3h"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Path Traversal in LXD Instance Log File Retrieval"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54293",
        "datePublished": "2025-10-02T10:43:58.246Z",
        "dateReserved": "2025-07-18T07:59:07.917Z",
        "dateUpdated": "2025-10-02T15:53:20.364Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54292 (GCVE-0-2025-54292)

    Vulnerability from nvd – Published: 2025-10-02 09:26 – Updated: 2025-10-02 15:53
    VLAI
    Title
    Client-Side Path Traversal in LXD-UI
    Summary
    Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 6.0 , < 6.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54292",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T15:29:53.977916Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T15:53:35.597Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths."
                }
              ],
              "value": "Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T10:43:57.080Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Client-Side Path Traversal in LXD-UI"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54292",
        "datePublished": "2025-10-02T09:26:39.228Z",
        "dateReserved": "2025-07-18T07:59:07.917Z",
        "dateUpdated": "2025-10-02T15:53:35.597Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54291 (GCVE-0-2025-54291)

    Vulnerability from nvd – Published: 2025-10-02 09:25 – Updated: 2025-10-02 17:29
    VLAI
    Title
    Project existence disclosure in LXD images API
    Summary
    Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 6.0 , < 6.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54291",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T17:29:40.781427Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T17:29:54.196Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses."
                }
              ],
              "value": "Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-497",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-497 File Discovery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T10:43:55.396Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-xch9-h8qw-85c7"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Project existence disclosure in LXD images API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54291",
        "datePublished": "2025-10-02T09:25:42.466Z",
        "dateReserved": "2025-07-18T07:59:07.917Z",
        "dateUpdated": "2025-10-02T17:29:54.196Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54290 (GCVE-0-2025-54290)

    Vulnerability from nvd – Published: 2025-10-02 09:24 – Updated: 2025-10-02 17:31
    VLAI
    Title
    Project Existence Disclosure via Error Handling in LXD Image Export
    Summary
    Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 6.0 , < 6.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54290",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T17:30:50.760985Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T17:31:02.699Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints."
                }
              ],
              "value": "Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-131",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-131 Resource Leak Exposure"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T10:43:53.703Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Project Existence Disclosure via Error Handling in LXD Image Export"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54290",
        "datePublished": "2025-10-02T09:24:12.894Z",
        "dateReserved": "2025-07-18T07:59:07.917Z",
        "dateUpdated": "2025-10-02T17:31:02.699Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54289 (GCVE-0-2025-54289)

    Vulnerability from nvd – Published: 2025-10-02 09:23 – Updated: 2026-02-26 17:48
    VLAI
    Title
    Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API
    Summary
    Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1385 - Missing Origin Validation in WebSockets
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 6 , < 6.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54289",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-03T03:55:37.907288Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:48:23.663Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Privilege Escalation in operations API in Canonical LXD \u0026lt;6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format"
                }
              ],
              "value": "Privilege Escalation in operations API in Canonical LXD \u003c6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-593",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-593 Session Hijacking"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1385",
                  "description": "CWE-1385: Missing Origin Validation in WebSockets",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-03T13:15:54.374Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54289",
        "datePublished": "2025-10-02T09:23:03.238Z",
        "dateReserved": "2025-07-18T07:59:07.917Z",
        "dateUpdated": "2026-02-26T17:48:23.663Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-54288 (GCVE-0-2025-54288)

    Vulnerability from nvd – Published: 2025-10-02 09:20 – Updated: 2025-10-02 13:22
    VLAI
    Title
    Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server
    Summary
    Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 6.0 , < 6.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54288",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T13:22:52.637179Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T13:22:55.575Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line."
                }
              ],
              "value": "Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-154",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-154 Resource Location Spoofing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T10:43:50.400Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54288",
        "datePublished": "2025-10-02T09:20:33.135Z",
        "dateReserved": "2025-07-18T07:59:07.917Z",
        "dateUpdated": "2025-10-02T13:22:55.575Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54287 (GCVE-0-2025-54287)

    Vulnerability from nvd – Published: 2025-10-02 09:16 – Updated: 2025-10-02 13:27
    VLAI
    Title
    Arbitrary File Read via Template Injection in Snapshot Patterns
    Summary
    Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 6.0 , < 6.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54287",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T13:27:39.753650Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T13:27:42.957Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-w2hg-2v4p-vmh6"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Template Injection in instance snapshot creation component in Canonical LXD (\u0026gt;= 4.0) allows an attacker with instance configuration \npermissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine."
                }
              ],
              "value": "Template Injection in instance snapshot creation component in Canonical LXD (\u003e= 4.0) allows an attacker with instance configuration \npermissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-165",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-165 File Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1336",
                  "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T10:43:48.716Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-w2hg-2v4p-vmh6"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary File Read via Template Injection in Snapshot Patterns"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54287",
        "datePublished": "2025-10-02T09:16:02.241Z",
        "dateReserved": "2025-07-18T07:59:07.917Z",
        "dateUpdated": "2025-10-02T13:27:42.957Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54286 (GCVE-0-2025-54286)

    Vulnerability from nvd – Published: 2025-10-02 09:12 – Updated: 2026-02-26 17:48
    VLAI
    Title
    CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI
    Summary
    Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 5.0 , < 5.0.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Affected: 6.0 , < 6.5 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54286",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-03T03:55:39.092079Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:48:23.958Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "5.0.5",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions \u0026gt;= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication."
                }
              ],
              "value": "Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions \u003e= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-62 Cross Site Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T10:43:46.978Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54286",
        "datePublished": "2025-10-02T09:12:49.044Z",
        "dateReserved": "2025-07-18T07:59:07.916Z",
        "dateUpdated": "2026-02-26T17:48:23.958Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28385 (GCVE-0-2026-28385)

    Vulnerability from cvelistv5 – Published: 2026-06-26 16:23 – Updated: 2026-06-26 17:13
    VLAI
    Title
    SSRF via image import from URL allows internal network probing by authenticated users
    Summary
    In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 6.0 , < 6.10 (semver)
    Create a notification for this product.
    Credits
    Babajide Emmanuel Fakile
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28385",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T17:13:30.913771Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T17:13:58.172Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "permissions.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.10",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Babajide Emmanuel Fakile"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon\u0027s network position."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664: Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T16:23:56.456Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "SSRF via image import from URL allows internal network probing by authenticated users",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-3gq2-x4qg-p4g6"
            },
            {
              "name": "doc: update guide to hardening security for LXD",
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/canonical/lxd/pull/18462"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SSRF via image import from URL allows internal network probing by authenticated users"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-28385",
        "datePublished": "2026-06-26T16:23:56.456Z",
        "dateReserved": "2026-02-27T11:06:14.064Z",
        "dateUpdated": "2026-06-26T17:13:58.172Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9640 (GCVE-0-2026-9640)

    Vulnerability from cvelistv5 – Published: 2026-06-26 15:50 – Updated: 2026-06-30 03:55
    VLAI
    Title
    LXD Snapshot Import Privilege Escalation Vulnerability
    Summary
    A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 5.21.0 , < 5.21.5 (semver)
    Affected: 5.0.0 , < 5.0.7 (semver)
    Affected: 6.0 , < 6.9 (semver)
    Create a notification for this product.
    Credits
    Miha Purg
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9640",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T03:55:24.628Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-ppq7-4492-5552"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "LXD",
              "platforms": [
                "Linux"
              ],
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "5.21.5",
                  "status": "affected",
                  "version": "5.21.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.0.7",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.9",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Miha Purg"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-153: Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T15:50:38.453Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-ppq7-4492-5552"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18301"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18303"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18304"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to LXD version 6.9 or later, 5.21.5 or later, or 5.0.7 or later."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "LXD Snapshot Import Privilege Escalation Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-9640",
        "datePublished": "2026-06-26T15:50:38.453Z",
        "dateReserved": "2026-05-26T18:31:24.593Z",
        "dateUpdated": "2026-06-30T03:55:24.628Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9639 (GCVE-0-2026-9639)

    Vulnerability from cvelistv5 – Published: 2026-06-26 15:39 – Updated: 2026-06-26 16:02
    VLAI
    Title
    Authenticated Denial of Service via Malicious Backup Tarball in LXD
    Summary
    Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL pointer dereference
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 5.21.0 , < 5.21.5 (semver)
    Affected: 6.0 , < 6.9 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9639",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T16:01:50.334142Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T16:02:11.520Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "LXD",
              "platforms": [
                "Linux"
              ],
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "5.21.5",
                  "status": "affected",
                  "version": "5.21.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.9",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476 NULL pointer dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T15:39:04.696Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-j93m-3j9p-m5m8"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18320"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18390"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to LXD version 5.21.5 or later, or 6.9 or later."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authenticated Denial of Service via Malicious Backup Tarball in LXD"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-9639",
        "datePublished": "2026-06-26T15:39:04.696Z",
        "dateReserved": "2026-05-26T18:31:05.985Z",
        "dateUpdated": "2026-06-26T16:02:11.520Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12411 (GCVE-0-2026-12411)

    Vulnerability from cvelistv5 – Published: 2026-06-26 15:27 – Updated: 2026-06-26 16:02
    VLAI
    Title
    Broken Access Control in Canonical LXD DevLXD API
    Summary
    Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization bypass through User-Controlled key
    • CWE-862 - Missing Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 6.6 , < 6.9 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12411",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T16:02:35.514095Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T16:02:55.284Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "permissions.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.9",
                  "status": "affected",
                  "version": "6.6",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest\u0027s custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-77",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Manipulating User-Controlled Variables"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization bypass through User-Controlled key",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T15:27:55.111Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "Cross-guest volume hijack via DevLXD device patch",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp"
            },
            {
              "name": "Security fixes from the 6.9 release",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/pull/18585"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to LXD version 6.9 or later."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Broken Access Control in Canonical LXD DevLXD API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-12411",
        "datePublished": "2026-06-26T15:27:55.111Z",
        "dateReserved": "2026-06-16T15:07:27.771Z",
        "dateUpdated": "2026-06-26T16:02:55.284Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34179 (GCVE-0-2026-34179)

    Vulnerability from cvelistv5 – Published: 2026-04-09 09:22 – Updated: 2026-04-09 11:54
    VLAI
    Title
    Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
    Summary
    In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-915 - Improperly controlled modification of Dynamically-Determined object attributes
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 4.12.0 , < 5.0.7 (semver)
    Affected: 5.1.0 , < 5.21.5 (semver)
    Affected: 6.0.0 , < 6.8.0 (semver)
    Create a notification for this product.
    Credits
    Miha Purg
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34179",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T11:54:14.860013Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T11:54:18.487Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "permissions.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "5.0.7",
                  "status": "affected",
                  "version": "4.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.5",
                  "status": "affected",
                  "version": "5.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.8.0",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Miha Purg"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly controlled modification of Dynamically-Determined object attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T09:22:14.693Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "Update of type field in restricted TLS certificate allows privilege escalation to cluster admin",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5"
            },
            {
              "name": "Improve validation on certificate edit",
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/canonical/lxd/pull/17936"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Update of type field in restricted TLS certificate allows privilege escalation to cluster admin"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-34179",
        "datePublished": "2026-04-09T09:22:14.693Z",
        "dateReserved": "2026-03-26T09:24:08.449Z",
        "dateUpdated": "2026-04-09T11:54:18.487Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34178 (GCVE-0-2026-34178)

    Vulnerability from cvelistv5 – Published: 2026-04-09 09:18 – Updated: 2026-04-09 11:55
    VLAI
    Title
    Importing a crafted backup leads to project restriction bypass
    Summary
    In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 4.12.0 , < 5.0.7 (semver)
    Affected: 5.1.0 , < 5.21.5 (semver)
    Affected: 6.0.0 , < 6.8.0 (semver)
    Create a notification for this product.
    Credits
    Miha Purg
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34178",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T11:54:57.626476Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T11:55:20.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "permissions.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "5.0.7",
                  "status": "affected",
                  "version": "4.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.5",
                  "status": "affected",
                  "version": "5.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.8.0",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Miha Purg"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T09:18:58.404Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "Importing a crafted backup leads to project restriction bypass",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4"
            },
            {
              "name": "Import: Create backup config from index",
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/canonical/lxd/pull/17921"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Importing a crafted backup leads to project restriction bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-34178",
        "datePublished": "2026-04-09T09:18:58.404Z",
        "dateReserved": "2026-03-26T09:24:08.449Z",
        "dateUpdated": "2026-04-09T11:55:20.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34177 (GCVE-0-2026-34177)

    Vulnerability from cvelistv5 – Published: 2026-04-09 09:15 – Updated: 2026-04-09 12:12
    VLAI
    Title
    VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
    Summary
    Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-184 - Incomplete list of disallowed inputs
    Assigner
    References
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 4.12.0 , < 5.0.7 (semver)
    Affected: 5.1.0 , < 5.21.5 (semver)
    Affected: 6.0.0 , < 6.8.0 (semver)
    Create a notification for this product.
    Credits
    Miha Purg
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34177",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T12:12:43.482752Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T12:12:48.251Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "permissions.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "5.0.7",
                  "status": "affected",
                  "version": "4.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.5",
                  "status": "affected",
                  "version": "5.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.8.0",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Miha Purg"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184 Incomplete list of disallowed inputs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T09:15:27.532Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "name": "VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf",
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f"
            },
            {
              "name": "lxd: Prevent use of raw.apparmor and raw.qemu.conf when low level options are blocked",
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/canonical/lxd/pull/17909"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-34177",
        "datePublished": "2026-04-09T09:15:27.532Z",
        "dateReserved": "2026-03-26T09:24:08.448Z",
        "dateUpdated": "2026-04-09T12:12:48.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28384 (GCVE-0-2026-28384)

    Vulnerability from cvelistv5 – Published: 2026-03-12 14:51 – Updated: 2026-03-13 16:30
    VLAI
    Title
    Authenticated RCE via unsanitized compression_algorithm
    Summary
    An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 6.0 , < 6.7 (semver)
    Affected: 5.21.0 , < 5.21.4 (semver)
    Affected: 5.0.0 , < 5.0.6 (semver)
    Affected: 4.12
    Create a notification for this product.
    Date Public
    2026-03-12 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28384",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-13T16:30:00.719316Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-13T16:30:06.396Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "images.go",
                "instance_backup.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.7",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.0.6",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.12"
                }
              ]
            }
          ],
          "datePublic": "2026-03-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper sanitization of the \u003ctt\u003ecompression_algorithm\u003c/tt\u003e parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10."
                }
              ],
              "value": "An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-12T15:02:57.074Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/commit/043696a13171ace7dd4c2b32d34ce039ab629052"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/commit/7046979645c2ce1b63b2f9e60ddf6cbc4c4b78f9"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/commit/b7b411caf5c4971bfe2386c72128f44d7e2aaf4f"
            },
            {
              "tags": [
                "media-coverage"
              ],
              "url": "https://discourse.ubuntu.com/t/lxd-authenticated-remote-code-execution-fixes-available/78365"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authenticated RCE via unsanitized compression_algorithm"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-28384",
        "datePublished": "2026-03-12T14:51:29.991Z",
        "dateReserved": "2026-02-27T11:06:14.064Z",
        "dateUpdated": "2026-03-13T16:30:06.396Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3351 (GCVE-0-2026-3351)

    Vulnerability from cvelistv5 – Published: 2026-03-03 12:49 – Updated: 2026-03-05 17:20
    VLAI
    Title
    Authorization Bypass in LXD GET /1.0/certificates Endpoint
    Summary
    Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Canonical lxd Affected: 6.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3351",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T14:46:45.446167Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T14:47:00.765Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/canonical/lxd",
              "defaultStatus": "unaffected",
              "packageName": "lxd",
              "platforms": [
                "Linux"
              ],
              "product": "lxd",
              "programFiles": [
                "certificates.go"
              ],
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "exploitMaturity": "PROOF_OF_CONCEPT",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-05T17:20:25.645Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "vendor-advisory"
              ],
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r"
            },
            {
              "name": "lxd/certificates: Return only allowed certificates in non-recursive list",
              "tags": [
                "patch",
                "issue-tracking"
              ],
              "url": "https://github.com/canonical/lxd/pull/17738"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authorization Bypass in LXD GET /1.0/certificates Endpoint",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2026-3351",
        "datePublished": "2026-03-03T12:49:25.034Z",
        "dateReserved": "2026-02-27T16:38:38.974Z",
        "dateUpdated": "2026-03-05T17:20:25.645Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-54293 (GCVE-0-2025-54293)

    Vulnerability from cvelistv5 – Published: 2025-10-02 10:43 – Updated: 2025-10-02 15:53
    VLAI
    Title
    Path Traversal in LXD Instance Log File Retrieval
    Summary
    Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 6.0 , < 6.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54293",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T15:29:32.525667Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T15:53:20.364Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-472f-vmf2-pr3h"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links."
                }
              ],
              "value": "Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T10:43:58.246Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-472f-vmf2-pr3h"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Path Traversal in LXD Instance Log File Retrieval"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54293",
        "datePublished": "2025-10-02T10:43:58.246Z",
        "dateReserved": "2025-07-18T07:59:07.917Z",
        "dateUpdated": "2025-10-02T15:53:20.364Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54292 (GCVE-0-2025-54292)

    Vulnerability from cvelistv5 – Published: 2025-10-02 09:26 – Updated: 2025-10-02 15:53
    VLAI
    Title
    Client-Side Path Traversal in LXD-UI
    Summary
    Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 6.0 , < 6.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54292",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T15:29:53.977916Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T15:53:35.597Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths."
                }
              ],
              "value": "Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T10:43:57.080Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Client-Side Path Traversal in LXD-UI"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54292",
        "datePublished": "2025-10-02T09:26:39.228Z",
        "dateReserved": "2025-07-18T07:59:07.917Z",
        "dateUpdated": "2025-10-02T15:53:35.597Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54291 (GCVE-0-2025-54291)

    Vulnerability from cvelistv5 – Published: 2025-10-02 09:25 – Updated: 2025-10-02 17:29
    VLAI
    Title
    Project existence disclosure in LXD images API
    Summary
    Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 6.0 , < 6.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54291",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T17:29:40.781427Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T17:29:54.196Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses."
                }
              ],
              "value": "Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-497",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-497 File Discovery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T10:43:55.396Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-xch9-h8qw-85c7"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Project existence disclosure in LXD images API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54291",
        "datePublished": "2025-10-02T09:25:42.466Z",
        "dateReserved": "2025-07-18T07:59:07.917Z",
        "dateUpdated": "2025-10-02T17:29:54.196Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54290 (GCVE-0-2025-54290)

    Vulnerability from cvelistv5 – Published: 2025-10-02 09:24 – Updated: 2025-10-02 17:31
    VLAI
    Title
    Project Existence Disclosure via Error Handling in LXD Image Export
    Summary
    Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    Canonical LXD Affected: 6.0 , < 6.5 (semver)
    Affected: 5.21 , < 5.21.4 (semver)
    Create a notification for this product.
    Credits
    GMO Flatt Security Inc.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54290",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-02T17:30:50.760985Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-02T17:31:02.699Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LXD",
              "repo": "https://github.com/canonical/lxd",
              "vendor": "Canonical",
              "versions": [
                {
                  "lessThan": "6.5",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.21.4",
                  "status": "affected",
                  "version": "5.21",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "GMO Flatt Security Inc."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints."
                }
              ],
              "value": "Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-131",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-131 Resource Leak Exposure"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T10:43:53.703Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "url": "https://github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Project Existence Disclosure via Error Handling in LXD Image Export"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2025-54290",
        "datePublished": "2025-10-02T09:24:12.894Z",
        "dateReserved": "2025-07-18T07:59:07.917Z",
        "dateUpdated": "2025-10-02T17:31:02.699Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }