CVE-2026-33414 — OS Command Injection in Containers Podman V5

CWE-78 — OS Command Injection CWE-94 — Code Injection5 documents5 sources

Severity

4.0MEDIUMNVD

EPSS

0.0%

top 92.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Containers Podman V5 Github.com Containers Podman V4 Containers Podman

Timeline

PublishedApr 14

Description

Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection. Because PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who can control the VM image path through a crafted ma…

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Gogithub.com/containers_podman_v5< 5.8.2

▶Gogithub.com/containers_podman_v44.8.0 — 4.9.5

▶CVEListV5containers/podman>= 4.8.0, < 5.8.2

🔴Vulnerability Details

GHSA

PowerShell Command Injection in Podman HyperV Machine↗2026-04-14

▶

CVEList

PowerShell Command Injection in Podman HyperV Machine↗2026-04-14

▶

📋Vendor Advisories

Red Hat

podman: github.com/containers/podman: Podman: Arbitrary code execution via command injection in HyperV backend↗2026-04-14

▶

💬Community

Bugzilla

CVE-2026-33414 podman: github.com/containers/podman: Podman: Arbitrary code execution via command injection in HyperV backend↗2026-04-14

▶