CVE-2025-54286

CWE-352 — Cross-Site Request Forgery (CSRF)7 documents5 sources

Severity

7.5HIGH

EPSS

0.0%

top 93.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical LXD Github.com Canonical/lxd

Timeline

PublishedOct 2

Latest updateNov 5

Description

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Affected Packages5 packages

▶CVEListV5canonical/lxd5.0 — 5.0.5+2

▶NVDcanonical/lxd5.0.0 — 5.0.5+2

▶Gogithub.com/canonical/lxd5.0 — 5.0.5+3

▶Debianlxd< 5.0.2-5+deb12u1+1

▶Debianincus< 6.0.4-2+deb13u1+1

🔴Vulnerability Details

OSV

CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI in github.com/canonical/lxd↗2025-11-05

▶

CVEList

CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI↗2025-10-02

▶

OSV

Canonical LXD CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI↗2025-10-02

▶

GHSA

Canonical LXD CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI↗2025-10-02

▶

OSV

CVE-2025-54286: Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5↗2025-10-02

▶

📋Vendor Advisories

Debian

CVE-2025-54286: incus - Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on ...↗2025

▶