Canonical Lxd
15 CVEs affecting Canonical Lxd. Latest disclosed: 2026-04-09. Critical: 3, High: 0.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-34179 | Critical | 9.1 | 2026-04-09 | In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH re… |
CVE-2026-34178 | Critical | 9.1 | 2026-04-09 | In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instan… |
CVE-2026-34177 | Critical | 9.1 | 2026-04-09 | Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.appa… |
CVE-2016-1582 | Medium | 5.5 | 2016-06-09 | LXD before 2.0.2 does not properly set permissions when switching an unprivileged container into privileged mode, which allows local users to access arbitrary… |
CVE-2016-1581 | Medium | 5.5 | 2016-06-09 | LXD before 2.0.2 uses world-readable permissions for /var/lib/lxd/zfs.img when setting up a loop based ZFS pool, which allows local users to copy and read data… |
CVE-2026-28384 | | 2026-03-12 | An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daem… | |
CVE-2026-3351 | | 2026-03-03 | Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certif… | |
CVE-2025-54293 | | 2025-10-02 | Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host s… | |
CVE-2025-54292 | | 2025-10-02 | Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended res… | |
CVE-2025-54291 | | 2025-10-02 | Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project exist… | |
CVE-2025-54290 | | 2025-10-02 | Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without auth… | |
CVE-2025-54289 | | 2025-10-02 | Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions… | |
CVE-2025-54288 | | 2025-10-02 | Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any con… | |
CVE-2025-54287 | | 2025-10-02 | Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitr… | |
CVE-2025-54286 | | 2025-10-02 | Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user c… |