VYPR

Go modules package

github.com/lxc/incus/v6/cmd/incusd

pkg:golang/github.com/lxc/incus/v6/cmd/incusd

Vulnerabilities (10)

  • CVE-2026-41685MedMay 7, 2026
    affected <= 6.23.0

    Incus is a system container and virtual machine manager. Prior to version 7.0.0, uploads of large amount of data by authenticated users can run the Incus server out of disk space, potentially taking down the host system. The impact here is limited for anyone using storage.images_

  • CVE-2026-41684MedMay 7, 2026
    affected <= 6.23.0

    Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive c

  • CVE-2026-41648MedMay 7, 2026
    affected <= 6.23.0

    Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup t

  • CVE-2026-41647MedMay 7, 2026
    affected <= 6.23.0

    Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0.

  • CVE-2026-40251MedMay 6, 2026
    affected < 7.0.0fixed 7.0.0

    Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The backup restore subsystem c

  • CVE-2026-40243MedMay 6, 2026
    affected < 7.0.0fixed 7.0.0

    Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database connection logic can allow connections to an attacker's OVN database. The OVN client implementations disable Go standard TLS server verification and

  • CVE-2026-40197MedMay 6, 2026
    affected < 7.0.0fixed 7.0.0

    Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The custom volume backup impor

  • CVE-2026-40195MedMay 6, 2026
    affected < 7.0.0fixed 7.0.0

    Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an authenticated user with access to the storage bucket feature to cause the Incus daemon to crash. The vulnerability is present i

  • CVE-2026-35527MedMay 5, 2026
    affected < 7.0.0fixed 7.0.0

    Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request against project restrictions such as restricted.images.servers. The imgPostURLInfo

  • CVE-2026-23954Jan 22, 2026
    affected >= 0

    Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve h