Volerion logoVolerion
Volerion logoVolerion

Apache CloudStack Command Injection Vulnerability in Direct Download Templates Allows Unauthenticated Execution of Arbitrary Code on KVM Hosts

Vulnerability

A command injection vulnerability has been identified in Apache CloudStack in versions 4.11.0 through 4.20.2.0 and 4.21.0.0 through 4.22.0.0. The issue arises from missing file name sanitization, allowing account users to register malicious templates that are downloaded directly to primary storage for instance deployment on KVM hypervisors. This vulnerability could be exploited to execute arbitrary code on KVM hosts, potentially compromising resource integrity and confidentiality, causing data loss, and disrupting the availability of KVM-based infrastructure managed by CloudStack.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of code on KVM hosts, allowing an attacker to compromise the integrity and confidentiality of resources, cause data loss, and disrupt the availability of KVM-based services managed by CloudStack.

Remediation

Users are advised to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1 or later, both of which address this vulnerability.

Added: May 8, 2026, 1:24 PM
Updated: May 8, 2026, 1:24 PM

Vulnerability Rating

Custom Algorithm
spread
6.2
impact
10.0
exploitability
4.3
remediation
8.3
relevance
7.8
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.