What is CVE-2026-25077?

CVE-2026-25077 is a high-severity vulnerability in Apache Cloudstack, classified under Code Injection. CVSS score: 8.8/10. Published 2026-05-08.

How severe is CVE-2026-25077?

High severity. CVSS v3 base score is 8.8 out of 10.

RCE in Apache Cloudstack

CVE-2026-25077

Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templat…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.000 (7.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Apache Cloudstack
Apache Software Foundation Cloudstack — versions 4.11.0, 4.21.0.0

Weakness classification (CWE)

CWE-94 — Code Injection

References

security@apache.org (vendor-advisory, Mailing List, Vendor Advisory)
af854a3a-2127-422b-91ae-364da2661108

Frequently asked questions

What is CVE-2026-25077?: CVE-2026-25077 is a high-severity vulnerability in Apache Cloudstack, classified under Code Injection. CVSS score: 8.8/10. Published 2026-05-08.
How severe is CVE-2026-25077?: High severity. CVSS v3 base score is 8.8 out of 10.