{"package":"github.com/canonical/lxd","ecosystem":"go","latest_version":"v0.0.0-20260429074013-a2cf2557db3d","description":"Powerful system container and virtual machine manager","license":"AGPL-3.0","license_risk":"network_copyleft","commercial_use_notes":"AGPL-3.0: blocks closed-source SaaS — network use = distribution. Requires source disclosure to users.","homepage":"https://pkg.go.dev/github.com/canonical/lxd","repository":"https://github.com/canonical/lxd","downloads_weekly":4732,"health":{"score":45,"risk":"high","breakdown":{"maintenance":25,"popularity":6,"security":0,"maturity":9,"community":5},"deprecated":false,"max_score":100},"vulnerabilities":{"count":24,"critical":3,"high":4,"medium":4,"low":13,"details":[{"vuln_id":"GO-2025-4121","severity":"high","summary":"LXD vulnerable to a local privilege escalation through custom storage volumes","affected_versions":"<0.0.0-20251110144034-698854d0164f","fixed_version":"0.0.0-20251110144034-698854d0164f","source":"osv","published_at":"2025-11-13T23:01:44Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-54289","severity":"high","summary":"Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API","affected_versions":">=4.0,<5.21.4|>=6.0,<6.5|>=0.0.0-20200331193331-03aab09f5b5c,<0.0.0-20250827065555-0494f5d47e41","fixed_version":"0.0.0-20250827065555-0494f5d47e41","source":"osv","published_at":"2025-10-02T21:19:29Z","in_kev":false,"epss_prob":0.00045,"epss_percentile":0.13681,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54293","severity":"high","summary":"Canonical LXD Path Traversal Vulnerability in Instance Log File Retrieval Function","affected_versions":">=4.0,<5.21.4|>=6.0,<6.5|>=0.0.0-20200331193331-03aab09f5b5c,<0.0.0-20250224180022-ec09b24179f3","fixed_version":"0.0.0-20250224180022-ec09b24179f3","source":"osv","published_at":"2025-10-02T21:15:53Z","in_kev":false,"epss_prob":0.00073,"epss_percentile":0.22011,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-6156","severity":"low","summary":"lxd CA certificate sign check bypass","affected_versions":"<0.0.0-20240708073652-5a492a3f0036","fixed_version":"0.0.0-20240708073652-5a492a3f0036","source":"osv","published_at":"2024-12-09T23:26:16Z","in_kev":false,"epss_prob":0.00052,"epss_percentile":0.16238,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54288","severity":"medium","summary":"Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server","affected_versions":">=4.0,<5.21.4|>=6.0,<6.5|>=0.0.0-20200331193331-03aab09f5b5c,<0.0.0-20250827065555-0494f5d47e41","fixed_version":"0.0.0-20250827065555-0494f5d47e41","source":"osv","published_at":"2025-10-02T21:20:25Z","in_kev":false,"epss_prob":0.00062,"epss_percentile":0.19146,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-34179","severity":"critical","summary":"LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin","affected_versions":">=0.0.0-20210305023314-538ac3df036e,<=0.0.0-20260226085519-736f34afb267","fixed_version":null,"source":"osv","published_at":"2026-04-10T19:20:50Z","in_kev":false,"epss_prob":0.00112,"epss_percentile":0.29436,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-3351","severity":"medium","summary":"lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints","affected_versions":"<0.0.0-20260224152359-d936c90d47cf","fixed_version":"0.0.0-20260224152359-d936c90d47cf","source":"osv","published_at":"2026-03-04T20:18:56Z","in_kev":false,"epss_prob":0.00023,"epss_percentile":0.06266,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-34177","severity":"critical","summary":"LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf","affected_versions":">=0.0.0-20210305023314-538ac3df036e,<=0.0.0-20260226085519-736f34afb267","fixed_version":null,"source":"osv","published_at":"2026-04-10T19:21:00Z","in_kev":false,"epss_prob":0.00143,"epss_percentile":0.34282,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-6219","severity":"low","summary":"lxd has a restricted TLS certificate privilege escalation when in PKI mode","affected_versions":"<0.0.0-20240403103450-0e7f2b5bf4d2","fixed_version":"0.0.0-20240403103450-0e7f2b5bf4d2","source":"osv","published_at":"2024-12-09T22:43:13Z","in_kev":false,"epss_prob":0.00163,"epss_percentile":0.36845,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54290","severity":"medium","summary":"Canonical LXD Project Existence Determination Through Error Handling in Image Export Function","affected_versions":">=4.0,<5.21.4|>=6.0,<6.5|>=0.0.0-20200331193331-03aab09f5b5c,<0.0.0-20250827065555-0494f5d47e41","fixed_version":"0.0.0-20250827065555-0494f5d47e41","source":"osv","published_at":"2025-10-02T21:16:27Z","in_kev":false,"epss_prob":0.00099,"epss_percentile":0.27292,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54286","severity":"high","summary":"Canonical LXD CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI","affected_versions":">=5.0,<5.0.5|>=5.1,<5.21.4|>=6.0,<6.5|>=0.0.0-20220401034332-1e1349e3cbf3,<0.0.0-20250827065555-0494f5d47e41","fixed_version":"0.0.0-20250827065555-0494f5d47e41","source":"osv","published_at":"2025-10-02T21:23:44Z","in_kev":false,"epss_prob":0.00027,"epss_percentile":0.07605,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-34178","severity":"critical","summary":"LXD: Importing a crafted backup leads to project restriction bypass","affected_versions":">=0.0.0-20210305023314-538ac3df036e,<=0.0.0-20260226085519-736f34afb267","fixed_version":null,"source":"osv","published_at":"2026-04-10T19:20:55Z","in_kev":false,"epss_prob":0.00048,"epss_percentile":0.14707,"threat_tier":"theoretical"},{"vuln_id":"GHSA-x9qq-236j-gj97","severity":"low","summary":"Canonical LXD documentation improvement to make clear restricted.devices.disk=allow without restricted.devices.disk.paths also allows shift=true","affected_versions":">=5.19.0,<5.20.0|>=0.0.0-20230920084527-cbe39c5d3f14,<0.0.0-20240118092008-ce1bd0dd37bb|=5.19.0","fixed_version":"0.0.0-20240118092008-ce1bd0dd37bb","source":"osv","published_at":"2023-12-05T23:32:58Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-54291","severity":"medium","summary":"Canonical LXD Project Existence Determination Through Error Handling in Image Get Function","affected_versions":">=4.0,<5.21.4|>=6.0,<6.5|>=0.0.0-20200331193331-03aab09f5b5c,<0.0.0-20250827065555-0494f5d47e41","fixed_version":"0.0.0-20250827065555-0494f5d47e41","source":"osv","published_at":"2025-10-02T21:15:46Z","in_kev":false,"epss_prob":0.00095,"epss_percentile":0.26211,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-6156","severity":"unknown","summary":"CA certificate sign check bypass in github.com/canonical/lxd","affected_versions":"<0.0.0-20240708073652-5a492a3f0036","fixed_version":"0.0.0-20240708073652-5a492a3f0036","source":"osv","published_at":"2024-12-09T18:32:51Z","in_kev":false,"epss_prob":0.00052,"epss_percentile":0.16238,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-6219","severity":"unknown","summary":"Restricted TLS certificate privilege escalation when in PKI mode in github.com/canonical/lxd","affected_versions":"<0.0.0-20240403103450-0e7f2b5bf4d2","fixed_version":"0.0.0-20240403103450-0e7f2b5bf4d2","source":"osv","published_at":"2024-12-09T18:32:51Z","in_kev":false,"epss_prob":0.00163,"epss_percentile":0.36845,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54289","severity":"unknown","summary":"Privilege Escalation via WebSocket Connection Hijacking in Operations API in github.com/canonical/lxd","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2025-11-05T18:41:07Z","in_kev":false,"epss_prob":0.00045,"epss_percentile":0.13681,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54293","severity":"unknown","summary":"Canonical LXD Path Traversal Vulnerability in Instance Log File Retrieval Function in github.com/canonical/lxd","affected_versions":">=0.0.0-20200331193331-03aab09f5b5c,<0.0.0-20250224180022-ec09b24179f3","fixed_version":"0.0.0-20250224180022-ec09b24179f3","source":"osv","published_at":"2025-11-05T18:41:07Z","in_kev":false,"epss_prob":0.00073,"epss_percentile":0.22011,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54288","severity":"unknown","summary":"Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server in github.com/canonical/lxd","affected_versions":">=0.0.0-20200331193331-03aab09f5b5c,<0.0.0-20250827065555-0494f5d47e41","fixed_version":"0.0.0-20250827065555-0494f5d47e41","source":"osv","published_at":"2025-11-05T18:41:07Z","in_kev":false,"epss_prob":0.00062,"epss_percentile":0.19146,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54290","severity":"unknown","summary":"Canonical LXD Project Existence Determination Through Error Handling in Image Export Function in github.com/canonical/lxd","affected_versions":">=0.0.0-20200331193331-03aab09f5b5c,<0.0.0-20250827065555-0494f5d47e41","fixed_version":"0.0.0-20250827065555-0494f5d47e41","source":"osv","published_at":"2025-11-05T18:41:07Z","in_kev":false,"epss_prob":0.00099,"epss_percentile":0.27292,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54286","severity":"unknown","summary":"CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI in github.com/canonical/lxd","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2025-11-05T18:41:07Z","in_kev":false,"epss_prob":0.00027,"epss_percentile":0.07605,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54291","severity":"unknown","summary":"Canonical LXD Project Existence Determination Through Error Handling in Image Get Function in github.com/canonical/lxd","affected_versions":">=0.0.0-20200331193331-03aab09f5b5c,<0.0.0-20250827065555-0494f5d47e41","fixed_version":"0.0.0-20250827065555-0494f5d47e41","source":"osv","published_at":"2025-11-05T18:41:07Z","in_kev":false,"epss_prob":0.00095,"epss_percentile":0.26211,"threat_tier":"theoretical"},{"vuln_id":"GHSA-3g2j-vm47-x4mj","severity":"unknown","summary":"LXD vulnerable to a local privilege escalation through custom storage volumes in lxd in github.com/canonical/lxd","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2025-11-18T15:44:15Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2026-3351","severity":"unknown","summary":"Non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints in github.com/canonical/lxd","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2026-03-10T18:28:25Z","in_kev":false,"epss_prob":0.00023,"epss_percentile":0.06266,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"v0.0.0-20260429074013-a2cf2557db3d","total_count":0,"recent":[]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":462,"first_published":null,"last_published":"2026-04-29T07:40:13Z","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["4 high severity vulnerabilities","3 critical vulnerabilities"],"use_version":"v0.0.0-20260429074013-a2cf2557db3d","version_hint":"Update to >= 0.0.0-20250827065555-0494f5d47e41 to fix known vulnerabilities","summary":"github.com/canonical/lxd has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false}}