github.com/canonical/lxd (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/canonical/lxd, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2026-34179 — CVSS 9.1 (critical): In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when…
CVE-2026-34177 — CVSS 9.1 (critical): Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go)…
CVE-2026-34178 — CVSS 9.1 (critical): In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive…
CVE-2025-54286 — CVSS 8.8 (high): Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container…
CVE-2025-54289 — CVSS 8.1 (high): Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal…
CVE-2025-54288 — CVSS 6.8 (medium): Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root…
CVE-2025-54293 — CVSS 6.5 (medium): Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary…
CVE-2025-54291 — CVSS 5.3 (medium): Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to…
CVE-2025-54290 — CVSS 5.3 (medium): Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project…
CVE-2026-3351 — CVSS 4.3 (medium): Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to…
CVE-2024-6156 — CVSS 3.8 (low): Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust…
CVE-2024-6219 — CVSS 3.8 (low): Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its…