Skip to main content

Xapi

4 CVEs product

Monthly

CVE-2025-58146 CRITICAL Act Now

Denial-of-service and database-corruption in Xen's XAPI toolstack (the XenAPI management layer used by XCP-ng and Citrix/XenServer Hypervisor) lets clients that submit object updates crash the database event thread or write strings that permanently prevent the database from loading. Three distinct input-validation defects are covered by XSA-474: notifications built from unsanitised input, a UTF-8 encoder that follows Unicode 3.0 while dependent libraries enforce the stricter 3.1 spec, and a total absence of sanitisation for Map/Set object updates. No public exploit has been identified at time of analysis and it is not on CISA KEV; the CVSS 4.0 base score is 9.4.

Information Disclosure Xapi
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2024-31144 LOW PATCH Monitor

For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.html#object-model-overview Xapi contains functionality to backup and restore metadata about Virtual. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity.

Information Disclosure Xapi
NVD
CVSS 3.1
3.8
EPSS
0.1%
CVE-2022-33749 MEDIUM PATCH This Month

XAPI open file limit DoS It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Xapi
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2020-29487 HIGH PATCH This Week

An issue was discovered in Xen XAPI before 2020-12-15. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Xapi
NVD
CVSS 3.1
7.5
EPSS
1.4%
EPSS 0% CVSS 9.4
CRITICAL Act Now

Denial-of-service and database-corruption in Xen's XAPI toolstack (the XenAPI management layer used by XCP-ng and Citrix/XenServer Hypervisor) lets clients that submit object updates crash the database event thread or write strings that permanently prevent the database from loading. Three distinct input-validation defects are covered by XSA-474: notifications built from unsanitised input, a UTF-8 encoder that follows Unicode 3.0 while dependent libraries enforce the stricter 3.1 spec, and a total absence of sanitisation for Map/Set object updates. No public exploit has been identified at time of analysis and it is not on CISA KEV; the CVSS 4.0 base score is 9.4.

Information Disclosure Xapi
NVD
EPSS 0% CVSS 3.8
LOW PATCH Monitor

For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.html#object-model-overview Xapi contains functionality to backup and restore metadata about Virtual. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity.

Information Disclosure Xapi
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

XAPI open file limit DoS It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Xapi
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Xen XAPI before 2020-12-15. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Xapi
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy