Main Vulnerability Database Vulnerabilities #VU131155

Command injection in Apache CloudStack - CVE-2026-25077

Published: May 12, 2026

Vulnerability identifier: #VU131155

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-25077

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache CloudStack

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on KVM hosts.

The vulnerability exists due to command injection in direct download template handling when processing template file names for templates downloaded to primary storage. A remote user can register a malicious template to execute arbitrary code on KVM hosts.

By default, account users are allowed to register templates for direct download for deployments using the KVM hypervisor.

How to mitigate CVE-2026-25077

Install security update from vendor's website.

Sources

https://lists.apache.org/api/email.lua?id=cmqh2klgxm2m9982x0sh9l4j0b5ol96y

Command injection in Apache CloudStack - CVE-2026-25077

Detailed vulnerability description

How to mitigate CVE-2026-25077

Sources

Please verify you're human