CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-59302 – Apache CloudStack: Potential remote code execution on Javascript engine defined rules
https://notcve.org/view.php?id=CVE-2025-59302
27 Nov 2025 — In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. * quotaTariffCreate * quotaTariffUpdate * createSecondaryStorageSelector * updateSecondaryStorageSelector * updateHost * updateStorage This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix. The fix introduces a new global config... • https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-59454 – Apache CloudStack: Lack of user permission validation leading to data leak for few APIs
https://notcve.org/view.php?id=CVE-2025-59454
27 Nov 2025 — In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue. In Apache CloudStack, a gap in access control... • https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30675 – Apache CloudStack: Unauthorised template/ISO list access to the domain/resource admins
https://notcve.org/view.php?id=CVE-2025-30675
10 Jun 2025 — In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain. A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boun... • https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22829 – Apache CloudStack: Unauthorised access to dedicated resources in Quota plugin
https://notcve.org/view.php?id=CVE-2025-22829
10 Jun 2025 — The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations. Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue. • https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 • CWE-269: Improper Privilege Management •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-26521 – Apache CloudStack: CKS cluster in project exposes user API keys
https://notcve.org/view.php?id=CVE-2025-26521
10 Jun 2025 — When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account. An attacker who's a member of the project can exploit this to impersonate and perform pri... • https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-47849 – Apache CloudStack: Insecure access of user's API/Secret Keys in the same domain
https://notcve.org/view.php?id=CVE-2025-47849
10 Jun 2025 — A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result i... • https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-47713 – Apache CloudStack: Domain Admin can reset Admin password in Root Domain
https://notcve.org/view.php?id=CVE-2025-47713
10 Jun 2025 — A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource in... • https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 • CWE-269: Improper Privilege Management •
CVSS: 4.3EPSS: 18%CPEs: 1EXPL: 1CVE-2025-22828 – Apache CloudStack: Unauthorised access to annotations
https://notcve.org/view.php?id=CVE-2025-22828
13 Jan 2025 — CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources. An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such ... • https://github.com/Stolichnayer/CVE-2025-22828 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50386 – Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure
https://notcve.org/view.php?id=CVE-2024-50386
12 Nov 2024 — Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and ... • https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3 • CWE-20: Improper Input Validation •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45219 – Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure
https://notcve.org/view.php?id=CVE-2024-45219
16 Oct 2024 — Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environm... • https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2 • CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output •