What is CVE-2026-33897?

CVE-2026-33897 is a critical-severity vulnerability in Lxc Incus, classified under Improper Neutralization of Special Elements Used in a Template Engine. CVSS score: 10.0/10. Published 2026-03-26.

How severe is CVE-2026-33897?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Vulnerability in Lxc Incus

CVE-2026-33897

Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which ca…

EPSS: 0.000 (8.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Lxc Incus — versions < 6.23.0

Weakness classification (CWE)

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine

References

https://github.com/lxc/incus/security/advisories/GHSA-83xr-5xxr-mh92 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-33897?: CVE-2026-33897 is a critical-severity vulnerability in Lxc Incus, classified under Improper Neutralization of Special Elements Used in a Template Engine. CVSS score: 10.0/10. Published 2026-03-26.
How severe is CVE-2026-33897?: Critical severity. CVSS v3 base score is 10.0 out of 10.