canonical lxd Vulnerabilities: CVEs, CISA KEV & Security Advisories

Severity and exploitation

How the CVSS severity of canonical lxd's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical4

High4

Medium6

Low3

2 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

None of canonical lxd's CVEs are currently listed in CISA's KEV catalog.

Public exploits

13 of canonical lxd's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every canonical lxd version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

lxd-5.0.014 CVEs
lxd-5.113 CVEs
lxd-5.1013 CVEs
lxd-5.1113 CVEs
lxd-5.1213 CVEs
lxd-5.1313 CVEs
lxd-5.1413 CVEs
lxd-5.1513 CVEs
lxd-5.1613 CVEs
lxd-5.1713 CVEs
lxd-5.1813 CVEs
lxd-5.1913 CVEs
lxd-5.213 CVEs
lxd-5.2013 CVEs
lxd-5.313 CVEs
lxd-5.413 CVEs
lxd-5.513 CVEs
lxd-5.613 CVEs
lxd-5.713 CVEs
lxd-5.813 CVEs
lxd-5.913 CVEs
lxd-4.1211 CVEs
lxd-4.1311 CVEs
lxd-4.1411 CVEs
lxd-4.1511 CVEs
lxd-4.1611 CVEs
lxd-4.1711 CVEs
lxd-4.1811 CVEs
lxd-4.1911 CVEs
lxd-4.2011 CVEs
lxd-4.2111 CVEs
lxd-4.2211 CVEs
lxd-4.2311 CVEs
lxd-4.2411 CVEs
lxd-4.0.010 CVEs
lxd-4.110 CVEs
lxd-4.1010 CVEs
lxd-4.1110 CVEs
lxd-4.210 CVEs
lxd-4.310 CVEs
lxd-4.410 CVEs
lxd-4.510 CVEs
lxd-4.610 CVEs
lxd-4.710 CVEs
lxd-4.810 CVEs
lxd-4.910 CVEs
lxd-5.21.010 CVEs
v5.21.010 CVEs
lxd-5.21.19 CVEs
lxd-5.21.28 CVEs
lxd-5.21.38 CVEs
lxd-6.18 CVEs
lxd-6.28 CVEs
lxd-6.38 CVEs
lxd-6.48 CVEs
lxd-0.15 CVEs
lxd-0.105 CVEs
lxd-0.115 CVEs
lxd-0.125 CVEs
lxd-0.135 CVEs
lxd-0.145 CVEs
lxd-0.155 CVEs
lxd-0.165 CVEs
lxd-0.175 CVEs
lxd-0.185 CVEs
lxd-0.195 CVEs
lxd-0.25 CVEs
lxd-0.205 CVEs
lxd-0.215 CVEs
lxd-0.225 CVEs
lxd-0.235 CVEs
lxd-0.245 CVEs
lxd-0.255 CVEs
lxd-0.265 CVEs
lxd-0.275 CVEs
lxd-0.35 CVEs
lxd-0.45 CVEs
lxd-0.55 CVEs
lxd-0.65 CVEs
lxd-0.75 CVEs
lxd-0.85 CVEs
lxd-0.8.15 CVEs
lxd-0.95 CVEs
lxd-2.0.05 CVEs
lxd-2.0.0.beta15 CVEs
lxd-2.0.0.beta25 CVEs
lxd-2.0.0.beta35 CVEs
lxd-2.0.0.beta45 CVEs
lxd-2.0.0.rc15 CVEs
lxd-2.0.0.rc25 CVEs
lxd-2.0.0.rc35 CVEs
lxd-2.0.0.rc45 CVEs
lxd-2.0.0.rc55 CVEs
lxd-2.0.0.rc65 CVEs
lxd-2.0.0.rc75 CVEs
lxd-2.0.0.rc85 CVEs
lxd-2.0.0.rc95 CVEs
lxd-2.13 CVEs
lxd-2.103 CVEs
lxd-2.10.13 CVEs
lxd-2.113 CVEs
lxd-2.123 CVEs
lxd-2.133 CVEs
lxd-2.143 CVEs
lxd-2.153 CVEs
lxd-2.163 CVEs
lxd-2.173 CVEs
lxd-2.183 CVEs
lxd-2.193 CVEs
lxd-2.23 CVEs
lxd-2.203 CVEs
lxd-2.213 CVEs
lxd-2.33 CVEs
lxd-2.43 CVEs
lxd-2.4.13 CVEs
lxd-2.53 CVEs
lxd-2.63 CVEs
lxd-2.6.13 CVEs
lxd-2.6.23 CVEs
lxd-2.73 CVEs
lxd-2.83 CVEs
lxd-2.93 CVEs
lxd-2.9.13 CVEs
lxd-2.9.23 CVEs
lxd-2.9.33 CVEs
lxd-3.0.03 CVEs
lxd-3.0.0.beta13 CVEs
lxd-3.0.0.beta23 CVEs
lxd-3.0.0.beta33 CVEs
lxd-3.0.0.beta43 CVEs
lxd-3.0.0.beta53 CVEs
lxd-3.0.0.beta63 CVEs
lxd-3.0.0.beta73 CVEs
lxd-3.13 CVEs
lxd-3.103 CVEs
lxd-3.113 CVEs
lxd-3.123 CVEs
lxd-3.133 CVEs
lxd-3.143 CVEs
lxd-3.153 CVEs
lxd-3.163 CVEs
lxd-3.173 CVEs
lxd-3.183 CVEs
lxd-3.193 CVEs
lxd-3.23 CVEs
lxd-3.203 CVEs
lxd-3.213 CVEs
lxd-3.223 CVEs
lxd-3.233 CVEs
lxd-3.33 CVEs
lxd-3.43 CVEs
lxd-3.53 CVEs
lxd-3.63 CVEs
lxd-3.73 CVEs
lxd-3.83 CVEs
lxd-3.93 CVEs
lxd-2.0.12 CVEs
lxd-5.0.12 CVEs
lxd-5.0.22 CVEs
lxd-5.0.32 CVEs
lxd-6.52 CVEs
lxd-6.62 CVEs
lxd-4.0.11 CVE
lxd-4.0.21 CVE
lxd-4.0.31 CVE
lxd-4.0.41 CVE
lxd-4.0.51 CVE
lxd-4.0.61 CVE
lxd-4.0.71 CVE
lxd-4.0.81 CVE
lxd-4.0.91 CVE
lxd-5.0.41 CVE

Fixed in

5.21.49 CVEs
0494f5d47e41af69a8374568c0cb8b3eefd72a6a8 CVEs
6.58 CVEs
fec3cc832ca782d398c82d38f8532ef9d5be2e006 CVEs
5.0.73 CVEs
5.21.53 CVEs
6.8.03 CVEs
043696a13171ace7dd4c2b32d34ce039ab6290521 CVE
0e7f2b5bf4d2bc4eb3abc54b2b5e12c3be6638201 CVE
2101d7f6efdaa7762e6593c857cb524bfcd2859b1 CVE
2eacddbb65acf10b2fcea4ee92374a90d2376dc41 CVE
4.0.101 CVE

Find a version

19 CVEs

Sort

Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
CVE-2026-34179
Public exploit
Patch
CWE-915
Critical · CVSS 9.1
EPSS 0.2% (37th pct)2026-04-09
Importing a crafted backup leads to project restriction bypass
CVE-2026-34178
Public exploit
Patch
CWE-20
Critical · CVSS 9.1
EPSS 0.1% (22th pct)2026-04-09
VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
CVE-2026-34177
Public exploit
Patch
CWE-184
Critical · CVSS 9.1
EPSS 0.2% (36th pct)2026-04-09
Authenticated RCE via unsanitized compression_algorithm
CVE-2026-28384
Public exploit
Patch
CWE-78
Critical · CVSS 9.4
EPSS 0.3% (49th pct)2026-03-12
Authorization Bypass in LXD GET /1.0/certificates Endpoint
CVE-2026-3351
Patch
CWE-862
Low · CVSS 2.1
EPSS 0.0% (8th pct)2026-03-03
Path Traversal in LXD Instance Log File Retrieval
CVE-2025-54293
Public exploit
Patch
CWE-22
High · CVSS 7.1
EPSS 0.1% (25th pct)2025-10-02
Client-Side Path Traversal in LXD-UI
CVE-2025-54292
Public exploit
Patch
CWE-22
Medium · CVSS 4.8
EPSS 0.0% (11th pct)2025-10-02
Project existence disclosure in LXD images API
CVE-2025-54291
Public exploit
Patch
CWE-209
Medium · CVSS 6.9
EPSS 0.1% (29th pct)2025-10-02
Project Existence Disclosure via Error Handling in LXD Image Export
CVE-2025-54290
Public exploit
Patch
CWE-200
Medium · CVSS 6.9
EPSS 0.1% (30th pct)2025-10-02
Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API
CVE-2025-54289
Patch
CWE-1385
High · CVSS 7.4
EPSS 0.0% (14th pct)2025-10-02
Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server
CVE-2025-54288
Public exploit
Patch
CWE-290
Medium · CVSS 5.1
EPSS 0.1% (19th pct)2025-10-02
Arbitrary File Read via Template Injection in Snapshot Patterns
CVE-2025-54287
Public exploit
Patch
CWE-1336
High · CVSS 7.1
EPSS 0.1% (21th pct)2025-10-02
CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI
CVE-2025-54286
Patch
CWE-352
High · CVSS 7.5
EPSS 0.0% (7th pct)2025-10-02
Low vulnerability · 2024-12-05
CVE-2024-6219
Public exploit
Patch
CWE-295
Low · CVSS 3.8
EPSS 0.2% (37th pct)2024-12-05
Low vulnerability · 2024-12-05
CVE-2024-6156
Public exploit
Patch
CWE-295
Low · CVSS 3.8
EPSS 0.1% (17th pct)2024-12-05
Medium vulnerability · 2024-02-14
CVE-2023-49721
Patch
CWE-276
Medium · CVSS 6.7
EPSS 0.0% (4th pct)2024-02-14
Medium vulnerability · 2024-02-14
CVE-2023-48733
Public exploit
Patch
CWE-1188
Medium · CVSS 6.7
EPSS 0.0% (3th pct)2024-02-14
Vulnerability · 2016-06-09
CVE-2016-1582
Unscored
EPSS 0.0% (13th pct)2016-06-09
Vulnerability · 2016-06-09
CVE-2016-1581
Unscored
EPSS 0.0% (11th pct)2016-06-09

Severity and exploitation

canonical lxd Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Specific versions

Fixed in

Common weakness types

Disclosure activity by year

Other canonical products

Frequently asked questions

How many CVEs does canonical lxd have?

How many canonical lxd CVEs are in CISA KEV?

Are there public exploits for canonical lxd vulnerabilities?

Which versions of canonical lxd are affected?

What are the most common weakness types in canonical lxd CVEs?

How many critical canonical lxd vulnerabilities are there?

What is the average severity of canonical lxd CVEs?

References

Track canonical lxd vulnerabilities