CVE-2025-54286
published 2025-10-02CVE-2025-54286: Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user…
high7.5CVSS 4.0
AVNACHATPPRNUIAVCHVIHVAHSCLSILSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | lxd | >= 0 < 5.0.2-5+deb12u1 | 5.0.2-5+deb12u1 |
| canonical | lxd | >= 0 < 5.0.2+git20231211.1364ae4-9+deb13u1 | 5.0.2+git20231211.1364ae4-9+deb13u1 |
| canonical | lxd | >= 5.0 < 5.0.5 | 5.0.5 |
| canonical | lxd | >= 5.0.0 < 5.0.5 | 5.0.5 |
| canonical | lxd | >= 5.21 < 5.21.4 | 5.21.4 |
| canonical | lxd | >= 5.21.0 < 5.21.4 | 5.21.4 |
| canonical | lxd | >= 6.0 < 6.5 | 6.5 |
| canonical | lxd | >= 6.1 < 6.5 | 6.5 |
| debian | incus | < incus 6.0.5-1 (forky) | incus 6.0.5-1 (forky) |
| debian | lxd | < incus 6.0.5-1 (forky) | incus 6.0.5-1 (forky) |
| github.com | canonical_lxd | >= 0.0.0-20220401034332-1e1349e3cbf3 < 0.0.0-20250827065555-0494f5d47e41 | 0.0.0-20250827065555-0494f5d47e41 |
| github.com | canonical_lxd | >= 5.0 < 5.0.5 | 5.0.5 |
| github.com | canonical_lxd | >= 5.1 < 5.21.4 | 5.21.4 |
| github.com | canonical_lxd | >= 6.0 < 6.5 | 6.5 |
CVSS provenance
nvdv4.07.5HIGHCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.5HIGH