Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <10c796d8-d900-4d3c-9ae1-d1b838ce8ec2@apache.org>
Date: Fri, 8 May 2026 14:21:09 +0200
From: "Piotr P. Karwasz" <pkarwasz@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-25077: Apache CloudStack: Unauthenticated Command Injection
 in Direct Download Templates

Severity: important

Affected versions:

- Apache CloudStack 4.11.0 through 4.20.2.0
- Apache CloudStack 4.21.0.0 through 4.22.0.0

Description:

Account users are allowed by default to register templates to be
downloaded directly to the primary storage for deploying instances using
the KVM hypervisor. Due to missing file name sanitization, an attacker
can register malicious templates to execute arbitrary code on the KVM
hosts. This can result in the compromise of resource integrity and
confidentiality, data loss, denial of service, and availability of the
KVM-based infrastructure managed by CloudStack.


Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0
or 4.22.0.1, or later, which fixes this issue.

Credit:

Reza at HazardLab (https://hazardlab.ninja) (reporter)

References:

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm
https://cloudstack.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-25077

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.