CVE-2026-25077

HIGH

Apache CloudStack: Unauthenticated Command Injection in Direct Download Templates

Title source: cna

Description

Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/09/6

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm

Scores

CVSS v3 8.8

EPSS 0.0002

EPSS Percentile 7.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (3)

apache/cloudstack 4.11.0.0 - 4.20.3.0

Apache Software Foundation/Apache CloudStack 4.11.0 - 4.20.2.0

Apache Software Foundation/Apache CloudStack 4.21.0.0 - 4.22.0.0

Published May 08, 2026

Tracked Since May 08, 2026