12 matches found
GHSA-48Q5-W887-33WV Incus has a restricted project bypass leading to arbitrary command execution
Summary Instance snapshots ignore the restricted.containers.lowlevel=block setting; allowing for arbitrary command execution on the Incus server by abusing lowlevel hooks such as raw.lxc and raw.qemu. Details Instance snapshots ignore the restricted.containers.lowlevel=block setting; allowing for...
PT-2026-53012
Name of the Vulnerable Software and Affected Versions Incus affected versions not specified Description Instance snapshots ignore the restricted.containers.lowlevel=block setting, which allows for arbitrary command execution on the Incus server. This occurs by abusing lowlevel hooks such as raw.l...
GHSA-FM2X-C5QW-4H6F LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
Summary The isVMLowLevelOptionForbidden function in lxd/project/limits/permissions.go is missing raw.apparmor and raw.qemu.conf from its hardcoded forbidden list. A user with canedit permission on a VM instance in a restricted project can combine these two omissions to bridge the LXD unix socket...
LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
Summary The isVMLowLevelOptionForbidden function in lxd/project/limits/permissions.go is missing raw.apparmor and raw.qemu.conf from its hardcoded forbidden list. A user with canedit permission on a VM instance in a restricted project can combine these two omissions to bridge the LXD unix socket...
CVE-2026-34177 VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden lxd/project/limits/permissions.go, which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote...
CVE-2026-34177 VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden lxd/project/limits/permissions.go, which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote...
CVE-2026-34177
The CVE concerns Canonical LXD versions 4.12–6.7. It documents an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go) that omits raw.apparmor and raw.qemu.conf from restricted.virtual-machines.lowlevel=block. A remote attacker who has can_edit permission on a VM...
CVE-2026-34177 VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden lxd/project/limits/permissions.go, which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote...
Exposed Dangerous Method or Function
Overview typo3/cms-lowlevel is an Enables the 'Config' and 'DB Check' modules for technical analysis of the system. This includes raw database search, checking relations, counting pages and records etc. Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via t...
Unchecked return value of low-level call()/delegatecall()
Lines of code 120, 141, 411, 184, 160, 189, 152, 444, 625, 638https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contract...
TYPO3 SQL Injection in low-level Query Generator
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backe...
Slither v0.6.7 - Static Analyzer For Solidity
Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code...