Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

31 advisories

Loading
Incus has an arbitrary file write on its client due to trusted image hash Critical
CVE-2026-48769 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7) Low
CVE-2026-48756 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
Incus has an argument injection in backup compression algorithm leading to AFW and ACE Critical
CVE-2026-48755 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool} Low
CVE-2026-48754 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
Incus has an arbitrary file write via path traversal in S3 multipart upload Critical
CVE-2026-48753 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has arbitrary file read+write on host via templates/ symlink in malicious image Critical
CVE-2026-48752 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has a restricted project bypass leading to arbitrary command execution Critical
CVE-2026-48751 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file write on host via `exec-output` symlink in crafted image Critical
CVE-2026-48750 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file read+write on host via rootfs/ symlink in malicious image Critical
CVE-2026-48749 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted) Moderate
CVE-2026-47753 was published for github.com/lxc/incus/v7 (Go) Jun 10, 2026
tonghuaroot Credited to tonghuaroot and stgraber stgraber stgraber
Incus is affected by unbounded binary import disk exhaustion Moderate
CVE-2026-41685 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has Nil Dereferences on Restore via Malformed YAML Moderate
CVE-2026-41684 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Incus has Unbounded YAML Metadata Decode via Parsing Moderate
CVE-2026-41648 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Incus has Nil-Pointer Dereference via S3 Bucket Import Moderate
CVE-2026-41647 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
raefko Credited to raefko, Ectario, and stgraber Ectario Ectario
stgraber stgraber
Incus has a Nil-Pointer Dereference via Custom Volume Import High
CVE-2026-40197 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus Vulnerable to Panic via Snapshot Bounds Check High
CVE-2026-40251 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots Low
CVE-2026-40243 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has a Nil-Pointer Dereference Panic via Bucket Metadata High
CVE-2026-40195 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus has Blind SSRF via Image Import Preflight HEAD Moderate
CVE-2026-35527 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Incus does not verify combined fingerprint when downloading images from simplestreams servers High
CVE-2026-33542 was published for github.com/lxc/incus/v6/client (Go) Mar 27, 2026
wl2018 Credited to wl2018 and stgraber stgraber stgraber
Incus vulnerable to local privilege escalation through custom storage volumes High
CVE-2025-64507 was published for github.com/lxc/incus/v6 (Go) Nov 13, 2025
abdodz1234 Credited to abdodz1234, stgraber, and hallyn stgraber stgraber
hallyn hallyn
Incus Allocation of Resources Without Limits allows firewall rule bypass on managed bridge networks Low
CVE-2025-52889 was published for github.com/lxc/incus/v6 (Go) Jun 26, 2025
obalpetre-anssi Credited to obalpetre-anssi and stgraber stgraber stgraber
Incus container image templating arbitrary host file read and write High
CVE-2026-23954 was published for github.com/lxc/incus/v6/cmd/incusd (Go) Jan 22, 2026
rmcnamara-snyk Credited to rmcnamara-snyk and stgraber stgraber stgraber
Incus container environment configuration newline injection High
CVE-2026-23953 was published for github.com/lxc/incus/v6 (Go) Jan 22, 2026
rmcnamara-snyk Credited to rmcnamara-snyk and stgraber stgraber stgraber
Incus has an abitrary file write through its systemd-creds options Critical
CVE-2026-33945 was published for github.com/lxc/incus/v6 (Go) Mar 27, 2026
stgraber Credited to stgraber, grmpyninja, and stamparm grmpyninja grmpyninja
stamparm stamparm
ProTip! Advisories are also available from the GraphQL API