Apache Cloudstack
19 CVEs affecting Apache Cloudstack. Latest disclosed: 2026-05-08. Critical: 2, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2015-3252 | Critical | 9.8 | 2016-02-08 | Apache CloudStack before 4.5.2 does not properly preserve VNC passwords when migrating KVM virtual machines, which allows remote attackers to gain access by co… |
CVE-2026-25199 | Critical | 9.1 | 2026-05-08 | Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from… |
CVE-2026-25077 | High | 8.8 | 2026-05-08 | Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. D… |
CVE-2025-66172 | High | 8.1 | 2026-05-08 | The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0… |
CVE-2025-66467 | High | 8.0 | 2026-05-08 | Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user cre… |
CVE-2025-69233 | Medium | 6.5 | 2026-05-08 | Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platfor… |
CVE-2025-66171 | Medium | 6.5 | 2026-05-08 | The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0… |
CVE-2025-66170 | Medium | 6.5 | 2026-05-08 | The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack… |
CVE-2016-3085 | Medium | 6.5 | 2016-06-10 | Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1, when SAML-based authentication is enabled and use… |
CVE-2015-3251 | Medium | 4.9 | 2016-02-08 | Apache CloudStack before 4.5.2 might allow remote authenticated administrators to obtain sensitive password information for root accounts of virtual machines v… |
CVE-2014-9593 | | 2015-01-15 | Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call. | |
CVE-2014-7807 | | 2014-12-10 | Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which trig… | |
CVE-2013-2758 | | 2014-05-23 | Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform (formerly Citrix CloudStack) 3.0.x before 3.0.6 Patch C uses a hash of a predictable sequence, wh… | |
CVE-2013-2756 | | 2014-05-23 | Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform (formerly Citrix CloudStack) 3.0.x before 3.0.6 Patch C allows remote attackers to bypass the con… | |
CVE-2014-0031 | | 2014-01-15 | The (1) ListNetworkACL and (2) listNetworkACLLists APIs in Apache CloudStack before 4.2.1 allow remote authenticated users to list network ACLS for other users… | |
CVE-2013-6398 | | 2014-01-15 | The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote att… | |
CVE-2013-2136 | | 2013-08-19 | Multiple cross-site scripting (XSS) vulnerabilities in Apache CloudStack before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1)… | |
CVE-2012-5616 | | 2013-01-22 | Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file… | |
CVE-2012-4501 | | 2012-10-26 | Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows remote attackers to make arbitrary API calls by leveraging the system user account, as d… |