github.com/lxc/incus (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/lxc/incus, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (20)
CVE-2026-33897 — CVSS 9.9 (critical): Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary…
CVE-2026-33945 — CVSS 9.9 (critical): Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For…
CVE-2026-33898 — CVSS 8.8 (high): Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly…
CVE-2026-23954 — CVSS 8.7 (high): Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with…
CVE-2026-23953 — CVSS 8.7 (high): Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a…
CVE-2025-52890 — CVSS 8.1 (high): Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and…
CVE-2025-64507 — CVSS 7.8 (high): Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an…
CVE-2026-33711 — CVSS 7.8 (high): Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a…
CVE-2026-41684 — CVSS 6.5 (medium): Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo() trusts the inline backup/index.yaml…
CVE-2026-33743 — CVSS 6.5 (medium): Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by…
CVE-2026-40195 — CVSS 6.5 (medium): Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import…
CVE-2026-40197 — CVSS 6.5 (medium): Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import…
CVE-2026-40251 — CVSS 6.5 (medium): Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import…
CVE-2026-41647 — CVSS 6.5 (medium): Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus…
CVE-2026-35527 — CVSS 5.0 (medium): Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD…
CVE-2026-41648 — CVSS 5.0 (medium): Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked…
CVE-2026-33542 — CVSS 4.8 (medium): Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when…
CVE-2026-40243 — CVSS 4.8 (medium): Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database…
CVE-2026-41685 — CVSS 4.3 (medium): Incus is a system container and virtual machine manager. Prior to version 7.0.0, uploads of large amount of data by authenticated users can…
CVE-2025-52889 — CVSS 3.4 (low): Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13…