Canonical

Lxd

16 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.4

CVE-2026-28384

Medienbericht
  • EPSS 0.13%
  • Veröffentlicht 12.03.2026 14:51:29
  • Zuletzt bearbeitet 13.03.2026 19:54:31

An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected L...

4.3

CVE-2026-3351

Exploit
  • EPSS 0.02%
  • Veröffentlicht 03.03.2026 13:16:21
  • Zuletzt bearbeitet 11.03.2026 18:41:28

Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.

6.5

CVE-2025-54293

Exploit
  • EPSS 0.07%
  • Veröffentlicht 02.10.2025 11:15:30
  • Zuletzt bearbeitet 10.12.2025 19:31:47

Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.

8.1

CVE-2025-54289

Exploit
  • EPSS 0.04%
  • Veröffentlicht 02.10.2025 10:15:39
  • Zuletzt bearbeitet 24.10.2025 14:34:37

Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format

5.3

CVE-2025-54290

Exploit
  • EPSS 0.09%
  • Veröffentlicht 02.10.2025 10:15:39
  • Zuletzt bearbeitet 24.10.2025 14:20:05

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

5.3

CVE-2025-54291

Exploit
  • EPSS 0.09%
  • Veröffentlicht 02.10.2025 10:15:39
  • Zuletzt bearbeitet 24.10.2025 14:11:07

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

4.6

CVE-2025-54292

Exploit
  • EPSS 0.04%
  • Veröffentlicht 02.10.2025 10:15:39
  • Zuletzt bearbeitet 10.12.2025 19:29:48

Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.

8.8

CVE-2025-54286

Exploit
  • EPSS 0.02%
  • Veröffentlicht 02.10.2025 10:15:38
  • Zuletzt bearbeitet 22.10.2025 15:47:31

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

6.5

CVE-2025-54287

Exploit
  • EPSS 0.06%
  • Veröffentlicht 02.10.2025 10:15:38
  • Zuletzt bearbeitet 22.10.2025 15:39:01

Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pon...

6.8

CVE-2025-54288

Exploit
  • EPSS 0.06%
  • Veröffentlicht 02.10.2025 10:15:38
  • Zuletzt bearbeitet 24.10.2025 14:44:18

Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device...