Lxd

This hub aggregates every CVE we track for Lxd, a product in the operating systems space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Lxd.

• CVE-2026-34179Update of type field in restricted TLS certificate allows privilege escalation to cluster admin9.1Apr 9, 2026
• CVE-2026-34178Importing a crafted backup leads to project restriction bypass9.1Apr 9, 2026
• CVE-2026-34177VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf9.1Apr 9, 2026
• CVE-2026-28384Authenticated RCE via unsanitized compression_algorithm9.9Mar 12, 2026
• CVE-2025-54293Path Traversal in LXD Instance Log File Retrieval6.5Oct 2, 2025
• CVE-2025-54292Client-Side Path Traversal in LXD-UI4.6Oct 2, 2025
• CVE-2025-54291Project existence disclosure in LXD images API5.3Oct 2, 2025
• CVE-2025-54290Project Existence Disclosure via Error Handling in LXD Image Export5.3Oct 2, 2025
• CVE-2025-54289Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API8.1Oct 2, 2025
• CVE-2025-54288Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server6.8Oct 2, 2025
• CVE-2025-54287Arbitrary File Read via Template Injection in Snapshot Patterns6.5Oct 2, 2025
• CVE-2025-54286CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI8.8Oct 2, 2025
• CVE-2024-6219Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured.3.8Dec 5, 2024
• CVE-2024-6156Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store.3.8Dec 5, 2024
• CVE-2023-49721An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.6.7Feb 14, 2024