{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "cveMetadata": {
    "cveId": "MOKSHA-2026-0083",
    "assignerOrgId": "moksha.dk",
    "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. CVE ID will be added to alternateIds when assigned by MITRE or another CNA.",
    "state": "PUBLISHED",
    "datePublished": "2026-04-24T06:00:00Z"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "moksha.dk",
        "shortName": "Moksha",
        "dateUpdated": "2026-04-24T06:00:00Z"
      },
      "title": "Boot Order Manipulation via VM.HVM_boot_params order",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set an arbitrary boot order string in VM.HVM_boot_params:order. The value is passed verbatim to QEMU as the -boot order argument at device.ml:3957-3958. XAPI performs no validation beyond replacing empty values with the default. QEMU ignores unrecognized characters, limiting impact to forcing PXE network boot when the attacker controls DHCP/PXE infrastructure. The field has zero map_keys_roles entries."
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "baseScore": 3.1,
            "baseSeverity": "LOW"
          }
        },
        {
          "format": "CVSS",
          "cvssV4_0": {
            "version": "4.0",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "affected": [
        {
          "vendor": "Cloud Software Group",
          "product": "XenServer",
          "versions": [
            { "status": "affected", "version": "all", "versionType": "custom" }
          ]
        },
        {
          "vendor": "Vates",
          "product": "XCP-ng",
          "versions": [
            { "status": "affected", "version": "all", "versionType": "custom" }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Input Validation",
              "cweId": "CWE-20",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Missing Authorization",
              "cweId": "CWE-862",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        { "url": "https://cna.moksha.dk/MOKSHA-2026-0083" }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jakob Wolffhechel, Moksha"
        }
      ]
    }
  }
}