Home / Vulnerability Intelligence / CVE-2026-25077

CVE-2026-25077 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: May 10, 2026

Apache CloudStack - Command Injection

Published: May 8, 2026Updated: May 10, 2026Remote Exploitable

Overview

Apache CloudStack contains a command injection caused by missing file name sanitization in template registration for KVM hypervisor, letting authenticated users execute arbitrary code on KVM hosts, exploit requires user account.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated users can execute arbitrary code on KVM hosts, compromising data integrity, confidentiality, and availability of the infrastructure.

Mitigation

Upgrade to Apache CloudStack versions 4.20.3.0, 4.22.0.1 or later.

References

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm
http://www.openwall.com/lists/oss-security/2026/05/09/6

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-25077
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: modified

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H