Go modules package
github.com/lxc/incus/v6
pkg:golang/github.com/lxc/incus/v6
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33945 | Cri | 9.9 | < 6.23.0 | 6.23.0 | Mar 27, 2026 | Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something lik | |
| CVE-2026-33897 | — | < 6.23.0 | 6.23.0 | Mar 26, 2026 | Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which can be used at various times in the instanc | ||
| CVE-2026-33743 | — | < 6.23.0 | 6.23.0 | Mar 26, 2026 | Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server of | ||
| CVE-2026-33711 | — | < 6.23.0 | 6.23.0 | Mar 26, 2026 | Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23. | ||
| CVE-2026-23953 | — | < 6.21.0 | 6.21.0 | Jan 22, 2026 | Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to a | ||
| CVE-2025-64507 | — | < 6.19.0 | 6.19.0 | Nov 10, 2025 | Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` p | ||
| CVE-2025-52890 | Hig | 8.1 | >= 6.12.0, < 6.14.0 | 6.14.0 | Jun 25, 2025 | Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filteri | |
| CVE-2025-52889 | Low | 3.4 | < 6.14.0 | 6.14.0 | Jun 25, 2025 | Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options `security.mac_filtering`, `security.ipv4_fil |
- affected < 6.23.0fixed 6.23.0
Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something lik
- CVE-2026-33897Mar 26, 2026affected < 6.23.0fixed 6.23.0
Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which can be used at various times in the instanc
- CVE-2026-33743Mar 26, 2026affected < 6.23.0fixed 6.23.0
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server of
- CVE-2026-33711Mar 26, 2026affected < 6.23.0fixed 6.23.0
Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23.
- CVE-2026-23953Jan 22, 2026affected < 6.21.0fixed 6.21.0
Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to a
- CVE-2025-64507Nov 10, 2025affected < 6.19.0fixed 6.19.0
Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` p
- affected >= 6.12.0, < 6.14.0fixed 6.14.0
Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filteri
- affected < 6.14.0fixed 6.14.0
Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options `security.mac_filtering`, `security.ipv4_fil