Path Traversal in Canonical Lxd

CVE-2025-54292

Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (11.4th percentile) — read the EPSS interpretation.

Affected products

Canonical Lxd — versions 6.0, 5.21

Weakness classification (CWE)

CWE-22 — Path Traversal

References

github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3