CVE-2025-54292

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-54292

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54292.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-54292

Downstream

DEBIAN-CVE-2025-54292

UBUNTU-CVE-2025-54292

Related

GHSA-7425-4qpj-v4w3

Published

2025-10-02T10:15:39.567Z

Modified

2026-02-23T08:30:20.443068Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.

References

Affected packages

Git / github.com/canonical/lxd

Affected ranges

Type: GIT
Repo: https://github.com/canonical/lxd
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fec3cc832ca782d398c82d38f8532ef9d5be2e00

Introduced

1e1349e3cbf30c1b2ce74e531d4dd0fd52c45be1

Fixed

0494f5d47e41af69a8374568c0cb8b3eefd72a6a

Affected versions

lxd-5.*

lxd-5.0.0

lxd-5.1

lxd-5.10

lxd-5.11

lxd-5.12

lxd-5.13

lxd-5.14

lxd-5.15

lxd-5.16

lxd-5.17

lxd-5.18

lxd-5.19

lxd-5.2

lxd-5.20

lxd-5.21.0

lxd-5.21.1

lxd-5.21.2

lxd-5.21.3

lxd-5.3

lxd-5.4

lxd-5.5

lxd-5.6

lxd-5.7

lxd-5.8

lxd-5.9

lxd-6.*

lxd-6.1

lxd-6.2

lxd-6.3

lxd-6.4

v5.*

v5.21.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54292.json"