CVE-2025-59302

CWE-94 — Code Injection3 documents3 sources

Severity

4.7MEDIUM

EPSS

0.1%

top 73.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Cloudstack Apache Cloudstack

Timeline

PublishedNov 27

Description

In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. * quotaTariffCreate * quotaTariffUpdate * createSecondaryStorageSelector * updateSecondaryStorageSelector * updateHost * updateStorage This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix. The fix introduces a n…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:LExploitability: 1.2 | Impact: 3.4

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_cloudstack4.18.0 — 4.20.2+1

▶NVDapache/cloudstack4.18.0.0 — 4.20.2.0+1

🔴Vulnerability Details

CVEList

Apache CloudStack: Potential remote code execution on Javascript engine defined rules↗2025-11-27

▶

GHSA

GHSA-hgmv-qpw9-xrfq: In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only↗2025-11-27

▶