32 matches found
CVE-2026-28385
In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery SSRF vulnerability in the image import functionality allows authenticated users with the cancreateimages entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a...
EUVD-2026-39794
A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy...
CVE-2026-9639
CVE-2026-9639 describes a nil-pointer dereference in LXD’s CreateCustomVolumeFromBackup. On Linux, affected versions are up to 6.8 and 5.21. An authenticated user with the ability to can_create_storage_volumes can trigger a denial of service by supplying a specially crafted custom-volume backup t...
ROS-20260513-73-0018
Vulnerability in lxd related to insufficient input validation. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...
Linux Distros Unpatched Vulnerability : CVE-2026-34179
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH...
Linux Distros Unpatched Vulnerability : CVE-2026-34177
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden lxd/project/limits/permissions.go, which omits raw.apparmo...
Linux Distros Unpatched Vulnerability : CVE-2026-34178
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instanc...
DEBIAN-CVE-2026-34179
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/fingerprint for restricted TLS certificate users, allowing a remote authenticated attacker to escalate...
Linux Distros Unpatched Vulnerability : CVE-2026-28384
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An improper sanitization of the compressionalgorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon...
SUSE CVE-2026-28384
An improper sanitization of the compressionalgorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the sn...
CVE-2026-28384
An improper sanitization of the compressionalgorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the sn...
Linux Distros Unpatched Vulnerability : CVE-2026-3351
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the GET /1.0/certificates API endpoint. An attacker can enumerate all certificate fingerprints trusted by the server by sending crafted requests as an authenticated, restricted user. Remediation Upgrade...
CVE-2026-3351
Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server...
Information Disclosure
github.com/canonical/lxd is vulnerable to Information Disclosure. The vulnerability is due to insufficient validation of process names, where attackers with root access in a container can spoof command-line names to impersonate other containers and obtain their metadata...
Linux Distros Unpatched Vulnerability : CVE-2025-54287
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Template Injection in instance snapshot creation component in Canonical LXD = 4.0 allows an attacker with instance configuration permissions to read arbitrary...
EUVD-2023-57848
Malicious code in bioql PyPI...
EUVD-2022-3203
Malicious code in bioql PyPI...
GHSA-3G72-CHJ4-2228 Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API
Impact LXD's operations API includes secret values necessary for WebSocket connections when retrieving information about running operations. These secret values are used for authentication of WebSocket connections for terminal and console sessions. Therefore, attackers with only read permissions...
LXD 安全漏洞
LXD is a Canonical open source container for managing applications on Linux-based systems. A security vulnerability exists in LXD versions prior to 6.5 and 5.21.4, which stems from a specially crafted resource name embedded in a URL path that could lead to a path traversal attack...