Lucene search
K

7 matches found

CVE
CVE
added 2026/05/08 12:22 p.m.32 views

CVE-2026-25199

The CVE describes a vulnerability in the Proxmox extension for Apache CloudStack (affecting 4.21.0.0–4.22.0.0) where the user-editable proxmox_vmid setting is not validated against tenant ownership. An unauthenticated attacker can modify proxmox_vmid to reference a VM owned by another account, gr...

9.1CVSS5.8AI score0.005EPSS
CVE
CVE
added 2026/05/08 12:21 p.m.25 views

CVE-2026-25077

CVE-2026-25077 affects Apache CloudStack with KVM deployments. Due to missing file name sanitization, account users can register templates for direct download to primary storage, enabling an attacker to execute arbitrary code on KVM hosts. This can compromise resource integrity and confidentialit...

8.8CVSS6.2AI score0.00726EPSS
CVE
CVE
added 2026/05/08 12:16 p.m.23 views

CVE-2025-66467

CVE-2025-66467 affects Apache CloudStack in scenarios where MinIO policy cleanup is not performed on bucket deletion. The issue allows previous bucket owners to retain access to buckets they formerly owned: if another user creates a bucket with the same name, those prior owners can gain unauthori...

8.1CVSS5.8AI score0.00373EPSS
CVE
CVE
added 2026/05/08 12:11 p.m.20 views

CVE-2025-66171

CVE-2025-66171 affects the CloudStack Backup plugin in CloudStack 4.21.0.0 and 4.22.0.0, where an improper access logic allows any authenticated user with access to specific APIs to create new VMs using backups belonging to other users. Public docs from NVD/CVE and EUVD- ENISA reiterate upgrade g...

6.5CVSS5.8AI score0.0053EPSS
CVE
CVE
added 2026/05/08 12:19 p.m.20 views

CVE-2025-69233

CVE-2025-69233 affects Apache CloudStack and describes time-of-check/time-of-use race conditions in the resource count check and increment logic, along with missing validations, that allow users to exceed allocation limits for accounts/domains. This can enable an attacker to degrade infrastructur...

6.5CVSS5.7AI score0.00433EPSS
CVE
CVE
added 2026/05/08 12:13 p.m.19 views

CVE-2025-66172

The CVE pertains to CloudStack’s Backup plugin, affected in versions 4.21.0.0 to 4.22.0.0, where improper access logic allows any authenticated user in a CloudStack 4.21.0.0+ environment (with the plugin enabled and API access) to restore a volume from another user’s backups and attach it to thei...

8.1CVSS5.8AI score0.00512EPSS
CVE
CVE
added 2026/05/08 12:6 p.m.18 views

CVE-2025-66170

The CVE affects the CloudStack Backup plugin (versions 4.21.0.0 and 4.22.0.0). An improper authorization logic lets any authenticated user with access to the plugin’s APIs list backups from any account, though they cannot view the backup contents. The issue is resolved by upgrading to version 4.2...

6.5CVSS5.8AI score0.00486EPSS