CVE-2026-28384

CWE-78OS Command Injection5 documents5 sources
Severity
9.4CRITICAL
EPSS
0.1%
top 64.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Canonical LXD
Timeline
PublishedMar 12

Description

An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages3 packages

CVEListV5canonical/lxd6.06.7+3
Debianlxd< 5.0.2-5+deb12u4+1
Debianincus< 6.0.4-2+deb13u5+1

🔴Vulnerability Details

2
OSV
CVE-2026-28384: An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the2026-03-12
CVEList
Authenticated RCE via unsanitized compression_algorithm2026-03-12

📋Vendor Advisories

1
Debian
CVE-2026-28384: incus - An improper sanitization of the compression_algorithm parameter in Canonical LXD...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-28384 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-28384 (CRITICAL CVSS 9.4) | An improper sanitization of the com | cvebase.io