This is the advisory publication site for Moksha, an independent security research practice operated by Jakob Wolffhechel in Copenhagen, Denmark. Moksha issues vulnerability advisories under the MOKSHA-YYYY-NNNN identifier scheme.
The first cohort - MOKSHA-2026-0001 through MOKSHA-2026-0089 - documents 89 independently exploitable vulnerabilities in XAPI, the management stack used by Citrix XenServer/Hypervisor and XCP-ng. These were identified during a 9-week systematic audit of every writable Map(String, String) field across 8 XAPI object types. The full disclosure narrative is at shittrix.moksha.dk.
MOKSHA identifiers are self-issued. They are not MITRE CVE IDs. Each advisory includes a companion .json file following the CVE JSON 5.1 schema for tooling compatibility. CVE IDs will be cross-referenced when assigned by MITRE or another CNA. See why Moksha issues its own identifiers for the full rationale.
| Severity | Count | CVSS 3.1 Range |
|---|---|---|
| Critical | 5 | 9.1 - 9.9 |
| High | 28 | 7.1 - 8.5 |
| Medium | 46 | 4.1 - 6.8 |
| Low | 10 | 2.3 - 3.8 |
| Total | 89 |
| MOKSHA ID | Semantic ID | Title | Severity | JSON |
|---|---|---|---|---|
| MOKSHA-2026-0001 | BOC-1 | Arbitrary Host Device Mount via VBD.other_config backend-local | Critical (9.9) | JSON |
| MOKSHA-2026-0002 | SMC-1 | Storage Protocol Injection via sm_config | Critical (9.9) | JSON |
| MOKSHA-2026-0003 | VOC-1 | System Domain Privilege Escalation via is_system_domain | Critical (9.9) | JSON |
| MOKSHA-2026-0004 | PDC-1 | iSCSI Target Redirection via PBD.device_config | Critical (9.1) | JSON |
| MOKSHA-2026-0005 | PDC-2 | NFS Server Redirection via PBD.device_config | Critical (9.1) | JSON |
| MOKSHA-2026-0006 | DOC-2 | Storage Migration Redirection via VDI.other_config maps_to | High (8.5) | JSON |
| MOKSHA-2026-0007 | BOC-2 | Backend-Kind I/O Driver Type Confusion via VBD.other_config | High (7.5) | JSON |
| MOKSHA-2026-0008 | VOC-2 | Storage Driver Domain PBD Detach DoS via VM.other_config | High (8.2) | JSON |
| MOKSHA-2026-0009 | PLAT-6 | QEMU Serial Host Filesystem Write via VM.platform hvm_serial | High (8.5) | JSON |
| MOKSHA-2026-0010 | PDC-5 | Block Device Path Injection via PBD.device_config | High (8.4) | JSON |
| MOKSHA-2026-0011 | NOC-1 | VIF Backend VM Hijack via Network.other_config backend_vm | High (8.4) | JSON |
| MOKSHA-2026-0012 | NOC-2 | OVS Fail-Mode Denial of Service via Network.other_config | High (8.2) | JSON |
| MOKSHA-2026-0013 | PLOC-6 | Pool-Wide OVS Fail-Mode Denial of Service via Pool.other_config | High (8.2) | JSON |
| MOKSHA-2026-0014 | PDC-6 | Local Initiator IQN Injection via PBD.device_config | High (8.1) | JSON |
| MOKSHA-2026-0015 | SSMC-2 | VHD Format Flag Corruption via SR.sm_config use_vhd | High (7.6) | JSON |
| MOKSHA-2026-0016 | PLAT-2 | PVinPVH Xen Kernel Command-Line Injection via VM.platform | High (7.6) | JSON |
| MOKSHA-2026-0017 | NOC-3 | Static Route Injection via Network.other_config | High (7.6) | JSON |
| MOKSHA-2026-0018 | PLOC-2 | HA Timeout Manipulation via Pool.other_config (Split-Brain/Blindness) | High (7.6) | JSON |
| MOKSHA-2026-0019 | DOC-1 | Tapdisk Memory Pool Injection via VDI.other_config mem-pool | High (7.5) | JSON |
| MOKSHA-2026-0020 | DOC-4 | CBT Metadata Corruption via VDI.other_config content_id | High (7.1) | JSON |
| MOKSHA-2026-0021 | VIOC-2 | Cross-VM Traffic Sniffing via VIF.other_config Promiscuous Mode | High (7.5) | JSON |
| MOKSHA-2026-0022 | BQP-1 | Real-Time I/O Class Abuse via VBD.qos_algorithm_params - Cross-VM Starvation | High (7.5) | JSON |
| MOKSHA-2026-0023 | PLOC-3 | Guest Agent Script Execution Enablement via Pool.other_config | High (7.2) | JSON |
| MOKSHA-2026-0024 | PDC-3 | NFS Mount Option Injection via PBD.device_config | High (7.2) | JSON |
| MOKSHA-2026-0025 | SSMC-3 | Storage Protocol Metadata Poisoning via SR.sm_config (targetIQN/target/LUNid) | High (7.2) | JSON |
| MOKSHA-2026-0026 | HOC-1 | Python Module Import Injection via Host.other_config multipathhandle | High (7.2) | JSON |
| MOKSHA-2026-0027 | POC-2 | Gateway/DNS Routing Hijack via PIF.other_config defaultroute/peerdns | High (7.2) | JSON |
| MOKSHA-2026-0028 | BOC-4 | VDI Lifecycle Corruption via VBD.other_config owner Key | High (7.1) | JSON |
| MOKSHA-2026-0029 | VIOC-1 | SR-IOV VIF Whitelist Bypass via VIF.other_config | High (7.1) | JSON |
| MOKSHA-2026-0030 | VOC-3 | XML Injection in Template Provisioning via VM.other_config disks | High (7.1) | JSON |
| MOKSHA-2026-0031 | XSD-1 | Guest Agent Poisoning via VM.xenstore_data vm-data Injection | High (7.1) | JSON |
| MOKSHA-2026-0032 | XSD-3 | Bidirectional Data Exfiltration via VM.xenstore_data Guest-to-XAPI-DB Sync | High (7.1) | JSON |
| MOKSHA-2026-0033 | VQP-1 | Rate Limit Bypass via VIF.qos_algorithm_params Large kbps Overflow | High (7.1) | JSON |
| MOKSHA-2026-0034 | DOC-5 | Coalesce Blocking via VDI.other_config leaf-coalesce | Medium (6.8) | JSON |
| MOKSHA-2026-0035 | HOC-2 | iSCSI Initiator Identity Spoofing via Host.other_config iscsi_iqn | Medium (6.8) | JSON |
| MOKSHA-2026-0036 | SOC-2 | LVM Configuration Injection via SR.other_config lvm-conf | Medium (6.7) | JSON |
| MOKSHA-2026-0037 | SOC-3 | VHD Test Mode and Failure Injection via SR.other_config testmode | Medium (6.5) | JSON |
| MOKSHA-2026-0038 | SSMC-1 | Provisioning Type Manipulation via SR.sm_config allocation | Medium (6.5) | JSON |
| MOKSHA-2026-0039 | SSMC-4 | Filesystem Layout Manipulation via SR.sm_config nosubdir/subdir | Medium (6.5) | JSON |
| MOKSHA-2026-0040 | PDC-4 | CHAP Credential Exposure via PBD.device_config | Medium (6.5) | JSON |
| MOKSHA-2026-0041 | PLOC-1 | Rolling Upgrade State Injection via Pool.other_config | Medium (6.5) | JSON |
| MOKSHA-2026-0042 | PLOC-4 | SMTP Server Redirection / Credential Exfiltration via Pool.other_config | Medium (6.5) | JSON |
| MOKSHA-2026-0043 | PLOC-5 | PBD Synchronization Bypass via Pool.other_config sync_create_pbds | Medium (6.5) | JSON |
| MOKSHA-2026-0044 | PLAT-1 | QEMU -parallel Path Traversal (VM DoS) via VM.platform | Medium (6.5) | JSON |
| MOKSHA-2026-0045 | POC-1 | Arbitrary Bond Property Injection via PIF.other_config bond-* | Medium (6.5) | JSON |
| MOKSHA-2026-0046 | POC-3 | MTU Manipulation / Network Partition via PIF.other_config | Medium (6.5) | JSON |
| MOKSHA-2026-0047 | POC-5 | DNS Search Domain Injection via PIF.other_config domain | Medium (6.1) | JSON |
| MOKSHA-2026-0048 | HOC-3 | Storage Availability Disruption via Host.other_config multipathing | Medium (5.5) | JSON |
| MOKSHA-2026-0049 | NOC-4 | HIMN Identity Hijack + DHCP Manipulation via Network.other_config | Medium (5.5) | JSON |
| MOKSHA-2026-0050 | SSMC-5 | LUNperVDI Mode Manipulation via SR.sm_config | Medium (5.5) | JSON |
| MOKSHA-2026-0051 | DOC-7 | Config Drive Misidentification via VDI.other_config config-drive | Medium (5.4) | JSON |
| MOKSHA-2026-0052 | BOC-5 | Leaked VBD Detection Spoofing via task_id/related_to | Medium (5.3) | JSON |
| MOKSHA-2026-0053 | VIOC-3 | MTU Manipulation (0-65535) via VIF.other_config | Medium (5.3) | JSON |
| MOKSHA-2026-0054 | VOC-4 | MAC Address Collision via VM.other_config mac_seed | Medium (5.3) | JSON |
| MOKSHA-2026-0055 | VOC-5 | set_other_config RBAC Bypass for PCI Passthrough Key | Medium (5.3) | JSON |
| MOKSHA-2026-0056 | VOC-6 | Console Access Manipulation via VM.other_config disable_pv_vnc | Medium (5.3) | JSON |
| MOKSHA-2026-0057 | XSD-2 | FIST Namespace Exposure via VM.xenstore_data | Medium (5.3) | JSON |
| MOKSHA-2026-0058 | XSD-4 | Xenstore Quota Exhaustion via VM.xenstore_data | Medium (5.3) | JSON |
| MOKSHA-2026-0059 | XSD-5 | Multi-Tenant Trust Confusion via VM.xenstore_data | Medium (5.3) | JSON |
| MOKSHA-2026-0060 | BQP-2 | Arbitrary Integer Passthrough to ionice via VBD.qos_algorithm_params | Medium (5.3) | JSON |
| MOKSHA-2026-0061 | BQP-3 | I/O Scheduling Downgrade to Idle Class via VBD.qos_algorithm_params | Medium (5.3) | JSON |
| MOKSHA-2026-0062 | VQP-2 | Rate Limit Removal via kbps=0 in VIF.qos_algorithm_params | Medium (5.3) | JSON |
| MOKSHA-2026-0063 | VQP-3 | Negative kbps Injection in VIF.qos_algorithm_params | Medium (5.3) | JSON |
| MOKSHA-2026-0064 | VXD-1 | Database Field Poisoning via VDI.xenstore_data Arbitrary Keys | Medium (5.3) | JSON |
| MOKSHA-2026-0065 | VXD-2 | SCSI Identity Forgery in XAPI Database via VDI.xenstore_data | Medium (5.3) | JSON |
| MOKSHA-2026-0066 | VXD-3 | Metadata Propagation via VDI Snapshot and Clone Operations | Medium (5.3) | JSON |
| MOKSHA-2026-0067 | VXD-4 | Cross-Pool Metadata Injection via VDI.xenstore_data on Pool Join | Medium (5.3) | JSON |
| MOKSHA-2026-0068 | PLAT-4 | Guest Xenstore Data Injection via VM.platform Map | Medium (5.3) | JSON |
| MOKSHA-2026-0069 | PLAT-5 | Hypervisor Security Feature Manipulation via VM.platform (nx/hap) | Medium (5.3) | JSON |
| MOKSHA-2026-0070 | VIOC-5 | Infrastructure Metadata Leak via SR-IOV VIF Xenstore Passthrough | Medium (5.0) | JSON |
| MOKSHA-2026-0071 | NOC-5 | OVS In-Band Management Disablement via Network.other_config | Medium (4.9) | JSON |
| MOKSHA-2026-0072 | HOC-4 | SR Scan Interval Manipulation via Host.other_config auto-scan-interval | Medium (4.9) | JSON |
| MOKSHA-2026-0073 | SOC-4 | SR Destruction Protection Bypass and DoS via SR.other_config indestructible | Medium (4.9) | JSON |
| MOKSHA-2026-0074 | SOC-5 | GC and Coalesce Disablement via SR.other_config | Medium (4.9) | JSON |
| MOKSHA-2026-0075 | PLOC-7 | Memory Ratio Bounds Relaxation via Pool.other_config | Medium (4.9) | JSON |
| MOKSHA-2026-0076 | POC-4 | Network Offload Disablement via PIF.other_config ethtool Keys | Medium (4.9) | JSON |
| MOKSHA-2026-0077 | VIOC-4 | VIF NIC Offload Disablement via VIF.other_config ethtool Keys | Medium (4.3) | JSON |
| MOKSHA-2026-0078 | DOC-6 | Guest Clock Manipulation via VDI.other_config timeoffset | Medium (4.3) | JSON |
| MOKSHA-2026-0079 | NOC-6 | Network Sharing Bypass via Network.other_config assume_network_is_shared | Medium (4.1) | JSON |
| MOKSHA-2026-0080 | SOC-1 | I/O Scheduler Sysfs Injection via SR.other_config scheduler | Low (3.8) | JSON |
| MOKSHA-2026-0081 | BOC-3 | I/O Polling Parameter Manipulation via VBD.other_config polling-duration | Low (3.1) | JSON |
| MOKSHA-2026-0082 | DOC-3 | VDI Lifecycle Behavior Manipulation via VDI.other_config on_boot/cbt_enabled | Low (3.1) | JSON |
| MOKSHA-2026-0083 | HBP-1 | Boot Order Manipulation via VM.HVM_boot_params order | Low (3.1) | JSON |
| MOKSHA-2026-0084 | HBP-2 | Firmware Type Denial of Service via VM.HVM_boot_params firmware | Low (3.1) | JSON |
| MOKSHA-2026-0085 | LPC-1 | Feature Restriction Bypass via Host.license_params restrict_* Keys | Low (2.3) | JSON |
| MOKSHA-2026-0086 | LPC-2 | License Expiry Manipulation via Host.license_params expiry | Low (2.3) | JSON |
| MOKSHA-2026-0087 | PLAT-3 | QEMU Device Model Selection via VM.platform device-model (Limited by Whitelist) | Low (2.3) | JSON |
| MOKSHA-2026-0088 | VQP-4 | Int64 Overflow in bytes_per_interval via VIF.qos_algorithm_params | Low (2.3) | JSON |
| MOKSHA-2026-0089 | VQP-5 | Raw kbps Value Exposure in Private Xenstore via VIF.qos_algorithm_params | Low (2.3) | JSON |
MOKSHA-YYYY-NNNN is a self-allocated vulnerability identifier scheme operated by Moksha. CVE reservations for all 89 findings were filed with MITRE on 2026-04-09. As of publication, MITRE has not responded. Parallel filings to GCVE/CIRCL, ENISA, and DIVD have also received no response. CERT/CC was notified on 2026-04-23.
Self-allocated advisory identifiers are not novel. ZDI, CIRCL, GCVE, GitHub (GHSA), and major vendors all maintain parallel numbering schemes alongside MITRE CVE. MOKSHA-YYYY-NNNN is the same pattern, scoped to one researcher.
The identifier scheme, the JSON format, and the advisory structure are designed for coexistence with CVE. When MITRE assigns CVE IDs, this site will be updated with cross-references. The MOKSHA URLs will not change.
For the full rationale, see Becoming My Own CNA.
Published here: 89 security advisories (human-readable + machine-readable JSON).
Available to CSIRTs and accredited coordinators on request: proof-of-concept scripts, evidence logs from live testing, IDS detection rules.
Not published: upstream patches (19 OCaml patches held privately), PoC exploit code, raw evidence logs.
Contact jakob@wolffhechel.dk or Signal +45 3170 7337.