{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "cveMetadata": {
    "cveId": "MOKSHA-2026-0009",
    "assignerOrgId": "moksha.dk",
    "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. CVE ID will be added to alternateIds when assigned by MITRE or another CNA.",
    "state": "PUBLISHED",
    "datePublished": "2026-04-24T06:00:00Z"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "moksha.dk",
        "shortName": "Moksha",
        "dateUpdated": "2026-04-24T06:00:00Z"
      },
      "title": "QEMU Serial Host Filesystem Write via VM.platform hvm_serial",
      "descriptions": [
        {
          "lang": "en",
          "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can create arbitrary files on the host filesystem by setting VM.platform:hvm_serial to file:<path>. XAPI reads this key from the raw database record, bypassing the filtered_flags allowlist, and passes it to QEMU as the -serial argument. QEMU creates the target file as root even if the VM fails to start. This chains into all 34 FIST debug points in XAPI, enabling disablement of HA, memory checks, and other safety mechanisms without requiring BOC-1."
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
            "baseScore": 8.5,
            "baseSeverity": "HIGH"
          }
        },
        {
          "format": "CVSS",
          "cvssV4_0": {
            "version": "4.0",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H",
            "baseScore": 8.5,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "affected": [
        {
          "vendor": "Cloud Software Group",
          "product": "XenServer",
          "versions": [
            { "status": "affected", "version": "all", "versionType": "custom" }
          ]
        },
        {
          "vendor": "Vates",
          "product": "XCP-ng",
          "versions": [
            { "status": "affected", "version": "all", "versionType": "custom" }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Input Validation",
              "cweId": "CWE-20",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
              "cweId": "CWE-22",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        { "url": "https://cna.moksha.dk/MOKSHA-2026-0009" }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jakob Wolffhechel, Moksha"
        }
      ]
    }
  }
}