Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionCVE.org
Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
AnalysisAI
Remote code execution in Apache CloudStack allows authenticated account users to execute arbitrary code on KVM hypervisor hosts by registering malicious templates with unsanitized filenames. Affects CloudStack 4.11.0 through 4.20.2.0 and 4.21.0.0 through 4.22.0.0 when using KVM hypervisors. Despite high CVSS (8.8), EPSS exploitation probability is very low (0.04%, 11th percentile) and CISA SSVC reports no active exploitation. Vendor-released patches are available in versions 4.20.3.0 and 4.22.0.1.
Technical ContextAI
Apache CloudStack is an open-source Infrastructure-as-a-Service (IaaS) cloud computing platform that manages compute, storage, and network resources. The vulnerability (CWE-94: Improper Control of Generation of Code) exists in CloudStack's template registration functionality for KVM hypervisors. When account users register templates for direct download to primary storage, the template filename parameter lacks proper sanitization. This allows injection of malicious code or path traversal sequences that execute when the template file is processed on the KVM host filesystem. The affected CPE (cpe:2.3:a:apache_software_foundation:apache_cloudstack) covers the platform's core orchestration layer that interfaces with hypervisor infrastructure. KVM (Kernel-based Virtual Machine) is a Linux hypervisor technology, and CloudStack's management of KVM hosts involves file operations that became the attack surface for this code injection vulnerability.
RemediationAI
Upgrade to Apache CloudStack version 4.20.3.0 or 4.22.0.1 (or later versions) which contain vendor-confirmed fixes for the filename sanitization vulnerability per the official Apache advisory at https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm. For environments unable to immediately patch, implement these compensating controls with noted trade-offs: (1) Restrict template registration permissions to trusted administrative accounts only via CloudStack role-based access control, removing this capability from general account users - this limits cloud self-service functionality but prevents untrusted users from exploiting the vulnerability. (2) Deploy file integrity monitoring on KVM hypervisor hosts to detect unauthorized file creation in primary storage paths - provides detection but not prevention, requiring active monitoring and incident response. (3) Isolate KVM management networks from untrusted account user access and enforce strict network segmentation between CloudStack management servers and hypervisor hosts - reduces attack surface but does not eliminate risk for authenticated users. All workarounds reduce functionality or require additional security tooling; vendor patching is the primary recommended remediation.
Same weakness CWE-94 – Code Injection
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28549
GHSA-vhgc-6rjx-f6vv