Apache CloudStack <4.20.3.0/4.22.0.1: Template Upload RCE via Unsanitized Filenames
CVE-2026-25077 Published on May 8, 2026
Apache CloudStack: Unauthenticated Command Injection in Direct Download Templates
Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
Vulnerability Analysis
CVE-2026-25077 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-25077 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-25077
Want to know whenever a new CVE is published for Apache CloudStack? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache CloudStack:- Version 4.11.0, <= 4.20.2.0 is affected.
- Version 4.21.0.0, <= 4.22.0.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.