KVM Hypervisor Vulnerability in Apache CloudStack
CVE-2026-25077

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Cloudstack
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-25077?

A flaw exists in the Apache CloudStack KVM hypervisor integration that allows account users to register templates without proper file name sanitization. This lack of controls enables malicious actors to upload harmful templates directly to the primary storage utilized for deploying KVM instances. If exploited, this vulnerability could lead to severe consequences, including the loss of data integrity, unauthorized access to sensitive information, service disruptions, and overall compromise of the KVM-based infrastructure managed by CloudStack. Users are advised to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1 or later to mitigate this risk.

Affected Version(s)

Apache CloudStack 4.11.0 <= 4.20.2.0

Apache CloudStack 4.21.0.0 <= 4.22.0.0

References

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02k...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Jan 28, 2026

Credit

Reza at HazardLab (https://hazardlab.ninja)

CVE-2026-25077 Data

JSON