Main Vulnerability Database SB2026040956

SB2026040956 - Path traversal in lxd

Published: April 9, 2026

Security Bulletin ID SB2026040956

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2025-54292)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper input validation in URL path construction in lxd-ui when embedding user-controlled resource names in URL paths. A remote user can create a malicious resource name containing path traversal sequences to disclose sensitive information.

User interaction is required, and exploitation occurs when another user performs operations on the crafted resource, causing path normalization to switch to a different project or resource.

Remediation

Install update from vendor's website.

References

https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3