{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0001", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0001"], "x_moksha_semantic_id": "BOC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Arbitrary Host Device Mount via VBD.other_config backend-local", "descriptions": [{"lang": "en", "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can mount any host block device as a guest virtual disk by writing an arbitrary filesystem path to VBD.other_config:backend-local. The attack requires a single API call, no exploit code, and produces no security alerts. The vulnerability collapses the entire XAPI RBAC hierarchy, granting root-equivalent access to the hypervisor host, cross-VM data exfiltration, credential theft, SSH backdoor injection, and lateral movement across shared storage."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "baseScore": 9.4, "baseSeverity": "CRITICAL"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0001"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0001", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0001", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0002", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0002"], "x_moksha_semantic_id": "SMC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Storage Protocol Injection via sm_config", "descriptions": [{"lang": "en", "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can write arbitrary key-value pairs to VDI.sm_config and SR.sm_config. These fields store internal storage driver state including VHD chain metadata, GC control flags, and encryption key hashes. XAPI performs zero validation and never notifies the storage backend. SM drivers consume the attacker's data as authoritative internal state, turning the hypervisor into a silent proxy that forwards corrupted commands to the storage subsystem through the trusted management channel. Seven exploitation scenarios are confirmed with live evidence including VHD chain severance, SR-wide crash, GC misdirection, and storage saturation."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0002"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0002", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0002", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0003", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0003"], "x_moksha_semantic_id": "VOC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "System Domain Privilege Escalation via is_system_domain", "descriptions": [{"lang": "en", "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can promote any VM to system domain status by writing is_system_domain=true to VM.other_config. This key has no per-key RBAC protection. A system-domain VM bypasses VBD sharing constraints (allowing concurrent write access to other VMs' virtual disks), gains access to the query_services operation, and bypasses lifecycle restrictions reserved for XAPI infrastructure components."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0003"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0003", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0003", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0004", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0004"], "x_moksha_semantic_id": "PDC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "iSCSI Target Redirection via PBD.device_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can create an iSCSI SR with attacker-controlled target and targetIQN values in PBD.device_config. The SM driver reads these values unchecked and passes them directly to iscsiadm for discovery and login. The hypervisor connects to the attacker's iSCSI target, enabling complete storage MITM: the attacker serves malicious disk images, captures all VM I/O, and intercepts CHAP credentials in transit."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:L", "baseScore": 8.7, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0004"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0004", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0004", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0005", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0005"], "x_moksha_semantic_id": "PDC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "NFS Server Redirection via PBD.device_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can create an NFS SR with attacker-controlled server and serverpath values in PBD.device_config. The SM driver passes these values directly to mount.nfs without validation. The hypervisor mounts the attacker's NFS export as a storage repository, serving all VMs on that SR from attacker-controlled storage. The attacker controls all VM disk images, can inject malware into any VM, and exfiltrate all data written to the SR."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:L", "baseScore": 8.7, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0005"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0005", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0005", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0006", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0006"], "x_moksha_semantic_id": "DOC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Storage Migration Redirection via VDI.other_config maps_to", "descriptions": [{"lang": "en", "value": "The maps_to key in VDI.other_config in XAPI-based hypervisors (XenServer, XCP-ng) is used during cross-pool migration to map local VDIs to remote destinations. An attacker with root access (via BOC-1) can modify maps_to in the XAPI database mid-migration, redirecting disk operations to an attacker-controlled VDI. The import code reads the modified value via Ref.of_string() with no validation, enabling cross-tenant data exfiltration and data corruption during live migration."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.5, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0006"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0006", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0006", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0007", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0007"], "x_moksha_semantic_id": "BOC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Backend-Kind I/O Driver Type Confusion via VBD.other_config", "descriptions": [{"lang": "en", "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can change the storage I/O backend driver for any VBD by writing to VBD.other_config:backend-kind. This key selects whether kernel blkback or userspace tapdisk handles I/O. An attacker can force a VBD to use an unexpected backend, bypassing tapdisk-level access controls, monitoring, and VHD chain processing. The key has no per-key RBAC protection and accepts arbitrary values."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0007"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0007", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0007", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0008", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0008"], "x_moksha_semantic_id": "VOC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Storage Driver Domain PBD Detach DoS via VM.other_config", "descriptions": [{"lang": "en", "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can inject a PBD reference into VM.other_config:storage_driver_domain. When the VM is shut down, XAPI calls Storage_access.reset on the referenced PBD's SR and sets the PBD's currently_attached field to false, clearing internal storage state. When the VM starts, XAPI forces a PBD plug on the injected reference. This enables denial-of-service against arbitrary storage repositories by cycling the injected VM's lifecycle."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H", "baseScore": 8.4, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0008"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0008", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0008", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0009", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0009"], "x_moksha_semantic_id": "PLAT-6"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "QEMU Serial Host Filesystem Write via VM.platform hvm_serial", "descriptions": [{"lang": "en", "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can create arbitrary files on the host filesystem by setting VM.platform:hvm_serial to file:<path>. XAPI reads this key from the raw database record, bypassing the filtered_flags allowlist, and passes it to QEMU as the -serial argument. QEMU creates the target file as root even if the VM fails to start. This chains into all 34 FIST debug points in XAPI, enabling disablement of HA, memory checks, and other safety mechanisms without requiring BOC-1."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L", "baseScore": 8.5, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "baseScore": 8.5, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0009"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0009", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0009", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0010", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0010"], "x_moksha_semantic_id": "PDC-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Block Device Path Injection via PBD.device_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject an arbitrary block device path via PBD.device_config:device when creating an EXT or LVM SR. The SM driver reads the path and passes it to pvcreate and vgcreate, which execute destructive operations on the attacker-chosen device. A systemroot check protects the host root device, but does not protect other partitions, additional disks, remote block devices, or other VMs' local storage. Data destruction on arbitrary accessible block devices results."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:L/SI:L/SA:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0010"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0010", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0010", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0011", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0011"], "x_moksha_semantic_id": "NOC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "VIF Backend VM Hijack via Network.other_config backend_vm", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can redirect all VIF traffic on a network through an attacker-controlled VM by setting Network.other_config:backend_vm to a VM UUID they control. XAPI reads this key in xapi_xenops.ml and returns Network.Remote(backend_vm, bridge) instead of Network.Local(bridge) for all subsequent VIF creations on that network. All VMs connected to the network have their traffic routed through the attacker VM, enabling traffic interception, credential sniffing, and man-in-the-middle attacks."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.8, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0011"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0011", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0011", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0012", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0012"], "x_moksha_semantic_id": "NOC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "OVS Fail-Mode Denial of Service via Network.other_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can cause a complete network denial of service on any OVS bridge by setting Network.other_config:vswitch-controller-fail-mode to secure. In secure fail mode, OVS drops all packets when no SDN controller is reachable. Since most XAPI deployments do not configure an SDN controller, this immediately drops all traffic on the bridge, affecting every VM and management connection on that network."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.2, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0012"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0012", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0012", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0013", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0013"], "x_moksha_semantic_id": "PLOC-6"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Pool-Wide OVS Fail-Mode Denial of Service via Pool.other_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can cause a complete network outage across every host in the pool by setting Pool.other_config:vswitch-controller-fail-mode to secure. This pool-level key serves as the default fail mode for every OVS bridge without a per-network override. Without an SDN controller - the common deployment case - all network traffic is dropped on all bridges across all hosts pool-wide, affecting every VM, management connection, and storage path in the pool."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.2, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0013"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0013", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0013", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0014", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0014"], "x_moksha_semantic_id": "PDC-6"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Local Initiator IQN Injection via PBD.device_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can overwrite the host's iSCSI initiator identity by injecting an arbitrary IQN via PBD.device_config:localIQN. The SM driver calls iscsilib.set_IQN() which writes the attacker-supplied value to /etc/iscsi/initiatorname.iscsi. All subsequent iSCSI operations from the host use the spoofed IQN, bypassing storage array access controls based on initiator identity. Enterprise storage arrays commonly use IQN-based ACLs as the primary access control mechanism for iSCSI LUNs."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.1, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Authentication", "cweId": "CWE-287", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0014"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0014", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0014", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0015", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0015"], "x_moksha_semantic_id": "SSMC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "VHD Format Flag Corruption via SR.sm_config use_vhd", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can cause complete data loss for all VDIs on an LVHD storage repository by removing the use_vhd key from SR.sm_config. This key determines whether the LVHDSR driver operates in VHD format or raw LV mode. Removing it causes the driver to fall back to raw LV mode on the next PBD plug cycle. VHD-format VDIs accessed in raw mode produce garbage data, and raw-mode writes corrupt VHD metadata structures, resulting in unrecoverable data loss for every VDI on the affected SR."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.6, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N", "baseScore": 8.4, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0015"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0015", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0015", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0016", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0016"], "x_moksha_semantic_id": "PLAT-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "PVinPVH Xen Kernel Command-Line Injection via VM.platform", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary Xen hypervisor boot parameters into the PVinPVH xen-shim kernel command line by setting VM.platform:pvinpvh-xen-cmdline to an attacker-controlled string. xenopsd reads this value with zero validation and passes it directly to xenguesthelper. The attacker can disable speculative execution mitigations (spec-ctrl=no), remove Meltdown protection (xpti=false), disable L1TF mitigation (pv-l1tf=false), and disable DMA protection (iommu=no) for the affected PVinPVH domain."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H", "baseScore": 7.6, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "baseScore": 8.5, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0016"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0016", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0016", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0017", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0017"], "x_moksha_semantic_id": "NOC-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Static Route Injection via Network.other_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary static routes into the host routing table by setting Network.other_config:static-routes to attacker-controlled subnet/gateway pairs. The value is parsed by nm.ml and applied directly to the bridge interface with no validation on subnet, gateway reachability, or conflicts with existing routes. Injected routes redirect storage network traffic, management traffic, or cloud subnet traffic through an attacker-controlled gateway."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "baseScore": 7.6, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N", "baseScore": 7.0, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0017"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0017", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0017", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0018", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0018"], "x_moksha_semantic_id": "PLOC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "HA Timeout Manipulation via Pool.other_config (Split-Brain/Blindness)", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the High Availability timeout by setting Pool.other_config:default_ha_timeout to an arbitrary integer. The value is read by xapi_ha.ml via int_of_string with no range check. A timeout of 1 second causes spurious HA fencing events and cascading host reboots (split-brain). A timeout of 999999 seconds effectively disables HA, leaving host failures undetected for days and HA-protected VMs without failover. Both outcomes affect every HA-protected VM across the entire pool."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "baseScore": 7.6, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0018"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0018", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0018", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0019", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0019"], "x_moksha_semantic_id": "DOC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Tapdisk Memory Pool Injection via VDI.other_config mem-pool", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject an arbitrary mem-pool value into VDI.other_config that flows unsanitized to tapdisk - a root-level storage I/O daemon - via xenstore. The SM driver reads other_config mem-pool in blktap2.py without any sanitization and writes it to xenstore as a tapdisk parameter. Tapdisk runs as root and reads the unsanitized pool name from xenstore to configure its memory allocation behavior. This creates a direct injection path from a low-privilege API user into a root-level service configuration."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "baseScore": 8.2, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0019"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0019", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0019", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0020", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0020"], "x_moksha_semantic_id": "DOC-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "CBT Metadata Corruption via VDI.other_config content_id", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt Change Block Tracking (CBT) metadata by injecting a crafted content_id value into VDI.other_config. The content_id key is used by the XAPI storage bridge to track VDI content identity across activate/deactivate/clone cycles. Incremental backup solutions use content_id to determine the base snapshot for changed-block calculations. A forged UUID causes the backup system to use an incorrect base, missing changed blocks and producing backups that silently lose data on restore."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", "baseScore": 8.3, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0020"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0020", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0020", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0021", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0021"], "x_moksha_semantic_id": "VIOC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Cross-VM Traffic Sniffing via VIF.other_config Promiscuous Mode", "descriptions": [{"lang": "en", "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can enable promiscuous mode on a VIF bridge port by setting VIF.other_config:promiscuous to true. The VIF hotplug script writes to /sys/class/net/vifX.Y/brport/promisc, causing the guest VM to receive all frames on the Linux bridge including traffic destined for other VMs. This enables cross-VM traffic sniffing in multi-tenant environments using Linux bridge networking. The key has no per-key RBAC protection and the attack requires a single API call."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0021"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0021", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0021", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0022", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0022"], "x_moksha_semantic_id": "BQP-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Real-Time I/O Class Abuse via VBD.qos_algorithm_params - Cross-VM Starvation", "descriptions": [{"lang": "en", "value": "A user with the vm-admin role in XAPI-based hypervisors (XenServer, XCP-ng) can set the real-time I/O scheduling class on VBD kernel threads by writing sched=rt and class=highest to VBD.qos_algorithm_params. xenopsd invokes ionice -c1 -n0 on the affected threads, granting strict priority over all best-effort and idle I/O on the host. This starves I/O for every other VM on the same host. The change takes effect immediately without VBD replug and produces no security alert."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", "baseScore": 8.3, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0022"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0022", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0022", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0023", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0023"], "x_moksha_semantic_id": "PLOC-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Guest Agent Script Execution Enablement via Pool.other_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can enable the guest agent run-script security gate by setting Pool.other_config:allow_guest_agent_run_script to true. Live gate bypass proven: without key returns FEATURE_RESTRICTED, with key the call passes to xenopsd. Full guest command execution requires guest agent tools (modeled). The key has no per-key RBAC protection and no write-time validation."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0023"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0023", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0023", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0024", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0024"], "x_moksha_semantic_id": "PDC-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "NFS Mount Option Injection via PBD.device_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary NFS mount options via PBD.device_config:options when creating an NFS storage repository. The NFSSR driver appends these options directly to the mount.nfs command without sanitization. An attacker can inject sec=none to disable NFS authentication, noac to cause performance denial of service, or ro to force read-only access. The attack was confirmed via live testing with all checks passing."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:N", "baseScore": 7.3, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Neutralization of Argument Delimiters in a Command", "cweId": "CWE-88", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0024"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0024", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0024", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0025", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0025"], "x_moksha_semantic_id": "SSMC-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Storage Protocol Metadata Poisoning via SR.sm_config (targetIQN/target/LUNid)", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt storage protocol metadata by modifying targetIQN, target, datatype, or LUNid keys in SR.sm_config on iSCSI and HBA storage repositories. These keys are written by the SM driver during SR.create and read back during subsequent operations, but the field remains writable after creation. Modifying LUNid causes VDI operations to target the wrong LUN, enabling cross-SR data corruption. This is an SR-level variant of the SMC-1 storage protocol injection vector."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N", "baseScore": 8.4, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0025"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0025", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0025", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0026", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0026"], "x_moksha_semantic_id": "HOC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Python Module Import Injection via Host.other_config multipathhandle", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject a controlled Python module name via Host.other_config:multipathhandle. The SM driver SR._mpathinit() passes this value to Python __import__() as mpath_<value>. Combined with a file write primitive (provided by BOC-1), an attacker places a malicious .py file in /opt/xensource/sm/ and triggers import as root during the next SR operation. Standalone exploitation requires pool-operator plus an independent file write capability."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "baseScore": 9.3, "baseSeverity": "CRITICAL"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Control of Dynamically-Managed Code Resources", "cweId": "CWE-913", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0026"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0026", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0026", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0027", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0027"], "x_moksha_semantic_id": "POC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Gateway/DNS Routing Hijack via PIF.other_config defaultroute/peerdns", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can hijack host-level network routing and DNS resolution by setting defaultroute=true and peerdns=true on an attacker-chosen PIF via PIF.other_config. All host outbound traffic routes through the selected PIF gateway, and all DNS queries resolve through the selected PIF DNS server. This enables man-in-the-middle attacks on management and storage traffic and DNS poisoning at the host level. PIF.other_config has the highest merge precedence in the other_config merge chain."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.6, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0027"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0027", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0027", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0028", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0028"], "x_moksha_semantic_id": "BOC-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "VDI Lifecycle Corruption via VBD.other_config owner Key", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the owner key in VBD.other_config to cause unintended VDI deletion or prevent VDI cleanup during VM uninstall operations. Setting owner on a shared VDI's VBD causes the VDI to be destroyed when the VM is uninstalled, even though other VMs still reference it. Removing the owner key causes VDIs to be orphaned, leading to gradual storage exhaustion. The key has no per-key RBAC protection."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", "baseScore": 8.3, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0028"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0028", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0028", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0029", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0029"], "x_moksha_semantic_id": "VIOC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "SR-IOV VIF Whitelist Bypass via VIF.other_config", "descriptions": [{"lang": "en", "value": "On SR-IOV-backed VIFs in XAPI-based hypervisors (XenServer, XCP-ng), all VIF.other_config keys bypass the whitelist filter and are written unfiltered to guest-readable xenstore. The standard VIF path (Device.Vif.add) applies a 7-key whitelist; the SR-IOV path (Device.NetSriovVf.add) does not apply this filter. This breaks security equivalence between standard and SR-IOV VIFs, allowing a vm-admin to inject arbitrary key-value pairs into guest-readable xenstore on SR-IOV networks."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0029"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0029", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0029", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0030", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0030"], "x_moksha_semantic_id": "VOC-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "XML Injection in Template Provisioning via VM.other_config disks", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject crafted XML into VM.other_config:disks, which is parsed via Xml.parse_string during template provisioning. The parser expects a provision/disk structure and extracts device, size, sr, bootable, and type attributes. Malformed XML causes provisioning denial of service. Well-formed but malicious XML enables SR targeting for VDI creation, storage exhaustion via extreme disk sizes, and resource exhaustion via mass VDI specification. The key has no per-key RBAC protection."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Restriction of XML External Entity Reference", "cweId": "CWE-611", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0030"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0030", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0030", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0031", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0031"], "x_moksha_semantic_id": "XSD-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Guest Agent Poisoning via VM.xenstore_data vm-data Injection", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary key-value pairs into a guest domain's xenstore vm-data/ directory by writing to VM.xenstore_data. Guest agents read this directory as trusted hypervisor configuration with no mechanism to distinguish legitimate data from attacker-injected data. Guest agents consuming xenstore configuration - server endpoints, update sources, monitoring targets - are directed to attacker-controlled infrastructure. The field has zero per-key RBAC protection."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", "baseScore": 8.3, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0031"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0031", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0031", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0032", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0032"], "x_moksha_semantic_id": "XSD-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Bidirectional Data Exfiltration via VM.xenstore_data Guest-to-XAPI-DB Sync", "descriptions": [{"lang": "en", "value": "The VM.xenstore_data field in XAPI-based hypervisors (XenServer, XCP-ng) creates a bidirectional data channel between guest domains and the XAPI management database. Guest writes to vm-data/ in xenstore are read by xenopsd during periodic state synchronization and propagated into VM.xenstore_data in the XAPI database. This is the only confirmed path where a guest domain can inject data into the XAPI database without API authentication. Any API consumer reading VM.xenstore_data receives attacker-injected values."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", "baseScore": 8.3, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Isolation or Compartmentalization", "cweId": "CWE-653", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0032"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0032", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0032", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0033", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0033"], "x_moksha_semantic_id": "VQP-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Rate Limit Bypass via VIF.qos_algorithm_params Large kbps Overflow", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VIF.qos_algorithm_params:kbps to an extremely large value that causes bytes_per_interval to exceed 0xffffffffL during computation in xenopsd. xenopsd correctly rejects the out-of-range value but does so silently with only a debug-level log. XAPI continues to show the configured rate limit in the database. The VM operates without network rate limiting while the management plane reports it as enforced."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Integer Overflow or Wraparound", "cweId": "CWE-190", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0033"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0033", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0033", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0034", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0034"], "x_moksha_semantic_id": "DOC-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Coalesce Blocking via VDI.other_config leaf-coalesce", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can permanently block VHD leaf coalesce operations on any VDI by setting VDI.other_config:leaf-coalesce to false. The SM garbage collector reads this key and skips leaf coalesce when the value is false. Snapshot chains grow unbounded, consuming storage until the SR reaches capacity or the VHD chain exceeds maximum depth. The same mechanism allows disabling all garbage collection via gc=false or coalesce=false. These keys have no per-key RBAC protection."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Uncontrolled Resource Consumption", "cweId": "CWE-400", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0034"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0034", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0034", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0035", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0035"], "x_moksha_semantic_id": "HOC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "iSCSI Initiator Identity Spoofing via Host.other_config iscsi_iqn", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can overwrite the host's iSCSI initiator identity by setting Host.other_config:iscsi_iqn to an arbitrary IQN string. The XAPI event watcher thread syncs this value to /etc/iscsi/initiatorname.iscsi without format validation. All subsequent iSCSI operations use the spoofed initiator name. Storage targets using IQN-based ACLs grant access based on the spoofed identity, enabling unauthorized access to LUNs belonging to other hosts or tenants."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N", "baseScore": 6.9, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Authentication", "cweId": "CWE-287", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0035"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0035", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0035", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0036", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0036"], "x_moksha_semantic_id": "SOC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "LVM Configuration Injection via SR.other_config lvm-conf", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary LVM configuration by setting SR.other_config:lvm-conf to a crafted value. The value is interpolated into --config devices{VALUE} in LVM commands executed by SM drivers without sanitization. The LVM --config parameter accepts arbitrary configuration overrides including device filter rules, enabling device filter manipulation that affects which block devices LVM operates on across storage repositories."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N", "baseScore": 7.0, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Neutralization of Argument Delimiters in a Command", "cweId": "CWE-88", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0036"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0036", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0036", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0037", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0037"], "x_moksha_semantic_id": "SOC-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "VHD Test Mode and Failure Injection via SR.other_config testmode", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can activate VHD failure injection on production storage by setting SR.other_config:testmode to a recognized test mode string. The SM driver matches the value against the ENV_VAR_VHD_TEST dictionary, and matching values cause environment variables to be set that instruct vhd-util to simulate failures during structural VHD operations. The resulting failures leave VHD metadata in an inconsistent state - a targeted data corruption attack indistinguishable from legitimate internal errors."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N", "baseScore": 7.0, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Active Debug Code", "cweId": "CWE-489", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0037"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0037", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0037", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0038", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0038"], "x_moksha_semantic_id": "SSMC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Provisioning Type Manipulation via SR.sm_config allocation", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can corrupt storage provisioning behavior by modifying or removing the allocation key in SR.sm_config after SR creation. The key controls whether LVHD SRs use thin or thick provisioning. Changing allocation from thin to thick causes new VDIs to pre-allocate full LV size instead of thin-provisioning. On overcommitted SRs, this causes immediate storage exhaustion. Restoring the key does not shrink already-inflated LVs - recovery requires storage migration."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "baseScore": 8.7, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0038"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0038", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0038", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0039", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0039"], "x_moksha_semantic_id": "SSMC-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Filesystem Layout Manipulation via SR.sm_config nosubdir/subdir", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the filesystem layout of NFS and MooseFS storage repositories by modifying the nosubdir or subdir key in SR.sm_config after SR creation. Changing nosubdir causes the driver to look for VDIs in the wrong directory. All VDIs appear missing, causing VM boot failures and complete data inaccessibility for all VMs on the affected SR. The attack is reversible but causes service disruption."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "baseScore": 8.5, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "baseScore": 8.7, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0039"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0039", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0039", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0040", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0040"], "x_moksha_semantic_id": "PDC-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "CHAP Credential Exposure via PBD.device_config", "descriptions": [{"lang": "en", "value": "CHAP authentication credentials for iSCSI storage connections in XAPI-based hypervisors (XenServer, XCP-ng) are stored in PBD.device_config as chapuser (plaintext) and chappassword_secret (XAPI secret reference). Any pool-operator can read the PBD record to obtain the chapuser and secret reference, then call secret.get_value() to resolve the cleartext password. This enables cross-user credential theft. The credentials are also stored in plaintext in the XAPI database on disk, accessible via BOC-1 filesystem read."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N", "baseScore": 6.9, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficiently Protected Credentials", "cweId": "CWE-522", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0040"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0040", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0040", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0041", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0041"], "x_moksha_semantic_id": "PLOC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Rolling Upgrade State Injection via Pool.other_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject a fake rolling upgrade state by writing the rolling_upgrade_in_progress key to Pool.other_config. The mere presence of this key causes helpers.ml to return true, disabling version compatibility checks, altering pool behavior during operations, and preventing detection of version mismatches across the pool. The key has no map_keys_roles protection and no write-time validation."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N", "baseScore": 7.7, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0041"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0041", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0041", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0042", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0042"], "x_moksha_semantic_id": "PLOC-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "SMTP Server Redirection / Credential Exfiltration via Pool.other_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can redirect all pool alert emails through an attacker-controlled SMTP server by writing ssmtp-mailhub and related ssmtp-* keys to Pool.other_config. The mail-alarm script uses these keys as unsanitized macro replacements in the ssmtp configuration template, enabling SMTP server redirection, alert data exfiltration, and potential SMTP credential theft."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0042"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0042", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0042", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0043", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0043"], "x_moksha_semantic_id": "PLOC-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "PBD Synchronization Bypass via Pool.other_config sync_create_pbds", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable automatic PBD creation for shared storage repositories by setting sync_create_pbds to nosync in Pool.other_config. The create_storage.ml module checks this value during host boot and skips PBD creation when set, causing shared storage to remain disconnected after reboot. VMs depending on shared storage cannot start. The disruption persists across reboots until the key is manually removed."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N", "baseScore": 7.0, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0043"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0043", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0043", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0044", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0044"], "x_moksha_semantic_id": "PLAT-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "QEMU -parallel Path Traversal (VM DoS) via VM.platform", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can prevent a VM from starting by injecting a path traversal payload into VM.platform:parallel. The prefix check in vm_platform.ml accepts any string starting with /dev/parport, but path traversal payloads pass the check and are forwarded to QEMU as the -parallel argument. QEMU's parport chardev backend expects a device node - the payload causes QEMU initialization failure, preventing VM startup. No host filesystem read or write capability was confirmed."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0044"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0044", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0044", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0045", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0045"], "x_moksha_semantic_id": "POC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Arbitrary Bond Property Injection via PIF.other_config bond-*", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary bond configuration properties by writing keys with the bond- prefix to PIF.other_config. The nm.ml module extracts any key with the bond- prefix, strips the prefix, and passes the remainder as a bond property override with zero validation on property names or values. This enables bond mode changes, timer manipulation, and injection of invalid parameters causing OVS errors and network disruption."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0045"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0045", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0045", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0046", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0046"], "x_moksha_semantic_id": "POC-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "MTU Manipulation / Network Partition via PIF.other_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can cause network partition by setting the mtu key in PIF.other_config to an extreme value. The nm.ml module parses the value with int_of_string and applies it as the interface MTU with no range validation. Setting MTU too low on the management interface causes packet drops that partition the host from the pool. On HA-enabled pools, management network partitioning triggers HA fencing."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", "baseScore": 8.3, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0046"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0046", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0046", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0047", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0047"], "x_moksha_semantic_id": "POC-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "DNS Search Domain Injection via PIF.other_config domain", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary DNS search domains into the host resolver configuration by writing to PIF.other_config:domain. The nm.ml module reads this key, splits on commas, and passes the resulting domain list to xcp-networkd with no validation. Injected search domains cause unqualified hostname lookups to resolve through attacker-controlled domains, enabling DNS hijack of internal service discovery."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0047"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0047", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0047", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0048", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0048"], "x_moksha_semantic_id": "HOC-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Storage Availability Disruption via Host.other_config multipathing", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable multipath I/O redundancy on a host by writing multipathing=false to Host.other_config. SM drivers read this key during initialization and switch to single-path I/O. If the single remaining storage path fails, all VMs on that storage become unavailable. The field has no map_keys_roles protection for infrastructure keys, and the degradation produces no warnings or alerts."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N", "baseScore": 7.0, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0048"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0048", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0048", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0049", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0049"], "x_moksha_semantic_id": "NOC-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "HIMN Identity Hijack + DHCP Manipulation via Network.other_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can hijack the Host Internal Management Network (HIMN) identity or manipulate guest VM DHCP configuration by modifying is_host_internal_management_network, ip_begin, ip_end, and netmask keys in Network.other_config. Marking a second network as HIMN creates identity ambiguity in XAPI's List.find resolution. Modifying the DHCP range enables IP exhaustion attacks or assignment of IPs outside the expected link-local range, disrupting guest agent communication."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0049"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0049", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0049", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0050", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0050"], "x_moksha_semantic_id": "SSMC-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "LUNperVDI Key Injection via SR.sm_config (dead code)", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can inject the LUNperVDI key into SR.sm_config. Source analysis confirms _addLUNperVDIkey() at SR.py:226 is defined but never called by any SM driver, and no driver reads sm_config LUNperVDI to decide behavior. Impact is limited to key persistence without backend consumption. The sm_config field has zero map_keys_roles entries and remains writable after SR creation despite being intended as driver-managed metadata."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0050"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0050", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0050", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0051", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0051"], "x_moksha_semantic_id": "DOC-7"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Config Drive Misidentification via VDI.other_config config-drive", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can mark any VDI as a cloud-init config drive by setting config-drive=true in VDI.other_config. The key is defined in xapi_globs.ml as a sync key and consumed during migration and import operations. Guest cloud-init agents misinterpret the flagged VDI's contents as trusted hypervisor-provided metadata, potentially initializing the guest with attacker-controlled configuration."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 2.3, "baseSeverity": "LOW"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0051"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0051", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0051", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0052", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0052"], "x_moksha_semantic_id": "BOC-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Leaked VBD Detection Spoofing via task_id/related_to", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can spoof the task_id and related_to keys in VBD.other_config to evade leaked VBD detection. These keys track which task created a VBD and which control domain it belongs to. By injecting false values, an attacker makes malicious VBDs appear as legitimate control-domain attachments, causing the cleanup subsystem to skip them. VBD.other_config has zero map_keys_roles entries."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0052"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0052", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0052", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0053", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0053"], "x_moksha_semantic_id": "VIOC-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "MTU Manipulation (0-65535) via VIF.other_config", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set an arbitrary MTU value (0 through 65535) on any VIF by writing the mtu key in VIF.other_config. The value is parsed by int_of_string at xapi_xenops.ml:773 with no range validation and applied via ip link set. Extreme MTU values cause network disruption including packet fragmentation, dropped frames, and connectivity failures."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0053"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0053", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0053", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0054", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0054"], "x_moksha_semantic_id": "VOC-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "MAC Address Collision via VM.other_config mac_seed", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can cause MAC address collisions by setting the mac_seed key in VM.other_config to a value copied from another VM. The MAC generation algorithm in xapi_vif_helpers.ml uses this seed deterministically. Pool-level duplicate detection exists but only runs during pool join and import, not during direct other_config writes. MAC collisions cause network connectivity failures, ARP table corruption, and traffic misdirection."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0054"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0054", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0054", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0055", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0055"], "x_moksha_semantic_id": "VOC-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "set_other_config RBAC Bypass for PCI Passthrough Key", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can bypass the pool-admin-restricted pci key in VM.other_config by using VM.set_other_config instead of VM.add_to_other_config. The set_other_config method replaces the entire map atomically without checking per-key RBAC (map_keys_roles). This allows a vm-admin to assign PCI devices to a VM, granting the guest direct DMA access to host memory regions. The bypass is acknowledged in datamodel.ml:614-624 as a known architectural limitation."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0055"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0055", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0055", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0056", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0056"], "x_moksha_semantic_id": "VOC-6"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Console Access Manipulation via VM.other_config disable_pv_vnc", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disable the VNC console for any PV guest by setting disable_pv_vnc in VM.other_config. The key is consumed at xapi_xenops.ml:497 via a presence check - when the key exists, xenopsd sets vncterm=false and the VNC terminal is not started. In multi-tenant environments, this denies console access to VMs, preventing operator troubleshooting and incident response."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0056"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0056", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0056", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0057", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0057"], "x_moksha_semantic_id": "XSD-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "FIST Namespace Exposure via VM.xenstore_data", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject FIST/-prefixed keys into VM.xenstore_data, polluting the Fault Injection Service Testing namespace. The FIST prefix is included in allowed_xsdata_prefixes at domain.ml:164, allowing these keys to pass through the xenopsd filter. While XAPI's actual fault injection reads /tmp/fist_* files on disk (not xenstore), the namespace pollution persists across VM restarts and establishes a pre-positioned injection path for future xenstore-based FIST consumption."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0057"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0057", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0057", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0058", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0058"], "x_moksha_semantic_id": "XSD-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Xenstore Quota Exhaustion via VM.xenstore_data", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can exhaust a guest domain's xenstore quota by injecting a large number of vm-data/* keys into VM.xenstore_data. Xenstore enforces a per-domain quota shared with guest agent data. When injected data consumes the quota, the guest's own xenstore operations fail, disrupting PV drivers, network configuration, and guest agent communication. The field has zero map_keys_roles entries and no value length limits."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Uncontrolled Resource Consumption", "cweId": "CWE-400", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0058"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0058", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0058", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0059", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0059"], "x_moksha_semantic_id": "XSD-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Multi-Tenant Trust Confusion via VM.xenstore_data", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject vm-data/* keys into VM.xenstore_data that modify guest behavior across trust boundaries in delegated VM administration environments. Guest OSes treat all vm-data/ entries as trusted hypervisor configuration with no mechanism to distinguish legitimate data from vm-admin-injected data. This enables supply chain attacks via installation source redirection, configuration endpoint hijacking, and credential injection in multi-tenant pools."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0059"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0059", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0059", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0060", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0060"], "x_moksha_semantic_id": "BQP-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Arbitrary Integer Passthrough to ionice via VBD.qos_algorithm_params", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can pass arbitrary integer values to the Linux ionice binary via the class key in VBD.qos_algorithm_params. The qos_class parser at xapi_xenops.ml:595-600 accepts any integer via Other(int_of_string s), and Ionice.to_class_param passes Other x directly as the -n argument. No range validation is performed - valid range is 0-7 but negative and extreme values are accepted. Kernel behavior with out-of-range ionice values is undefined. Changes take effect immediately without VBD replug."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0060"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0060", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0060", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0061", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0061"], "x_moksha_semantic_id": "BQP-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "I/O Scheduling Downgrade to Idle Class via VBD.qos_algorithm_params", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can downgrade a target VM's I/O scheduling class to idle by setting sched=idle in VBD.qos_algorithm_params. The idle class causes the kernel to service VBD kernel threads only when no other I/O is pending. Under any host I/O load, the target VM experiences severe I/O starvation. The field has zero map_keys_roles entries, and QoS changes take effect immediately via hot-apply without VBD replug."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0061"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0061", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0061", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0062", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0062"], "x_moksha_semantic_id": "VQP-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Rate Limit Removal via kbps=0 in VIF.qos_algorithm_params", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can silently disable VIF rate limiting by setting kbps=0 in VIF.qos_algorithm_params. XAPI accepts the zero value without validation. xenopsd correctly rejects it at plug time (bytes_per_interval fails the >0L check), but the rejection is invisible - only a debug-level log is emitted. The XAPI database shows rate limiting as configured while xenstore has no rate enforced, creating a false positive for administrators and monitoring tools."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0062"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0062", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0062", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0063", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0063"], "x_moksha_semantic_id": "VQP-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Negative kbps Injection in VIF.qos_algorithm_params", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject negative kbps values into VIF.qos_algorithm_params. XAPI parses via Int64.of_string without sign validation. xenopsd computes a negative bytes_per_interval which fails the >0L bounds check, silently dropping the rate limit. The XAPI database shows the negative value as the configured rate while no rate is enforced in xenstore, creating an observability gap for administrators and monitoring tools."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0063"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0063", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0063", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0064", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0064"], "x_moksha_semantic_id": "VXD-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Database Field Poisoning via VDI.xenstore_data Arbitrary Keys", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary key-value pairs into VDI.xenstore_data, a field designed for SM backend use. The field has zero map_keys_roles, zero write-time validation, and zero sanitization. Injected data persists in the XAPI database and is visible to all API consumers. Downstream systems (backup tools, inventory scanners, orchestration platforms) may trust the values as SM-generated metadata. The xe CLI reports this field as read-only, but programmatic API access bypasses this restriction."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0064"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0064", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0064", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0065", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0065"], "x_moksha_semantic_id": "VXD-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "SCSI Identity Forgery in XAPI Database via VDI.xenstore_data", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject forged SCSI INQUIRY data (device ID page 0x83, serial number page 0x80) into VDI.xenstore_data. These keys are normally SM-generated but the field has zero key validation and zero RBAC. Forged SCSI identities persist in the XAPI database and propagate through snapshot, clone, and pool join operations. Downstream systems (backup tools, Windows guest drivers, inventory scanners) that rely on SCSI identity metadata for disk identification may misidentify disks."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0065"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0065", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0065", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0066", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0066"], "x_moksha_semantic_id": "VXD-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Metadata Propagation via VDI Snapshot and Clone Operations", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can poison VDI.xenstore_data before a snapshot or clone operation, causing malicious data to propagate to all descendant VDI records. The snapshot/clone code at xapi_vdi.ml:861-862 copies the parent xenstore_data to the new VDI without re-validation. A single injection fans out through the entire hierarchy. The propagation is permanent - removing the injection from the parent does not clean existing descendants."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0066"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0066", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0066", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0067", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0067"], "x_moksha_semantic_id": "VXD-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Cross-Pool Metadata Injection via VDI.xenstore_data on Pool Join", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can poison VDI.xenstore_data on a source pool, and the poisoned metadata crosses into a target pool during pool join or cross-pool migration. The pool join code at xapi_pool.ml:1215 copies VDI records including xenstore_data without re-validation or sanitization. This enables a compromised vm-admin on one pool to inject attacker-controlled storage metadata into a separate, previously uncompromised pool."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0067"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0067", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0067", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0068", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0068"], "x_moksha_semantic_id": "PLAT-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Guest Xenstore Data Injection via VM.platform Map", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can inject arbitrary key-value pairs into VM.platform, and the entire map is written to guest-visible xenstore at /local/domain/<domid>/platform/ during domain creation (domain.ml:486). Guest OSes and guest agents treat all platform xenstore entries as trusted hypervisor configuration. There is no filtering, no key whitelist for guest visibility, and no map_keys_roles protection. Injected keys are indistinguishable from legitimate hypervisor configuration."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0068"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0068", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0068", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0069", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0069"], "x_moksha_semantic_id": "PLAT-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Hypervisor Security Feature Manipulation via VM.platform (nx/hap)", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disable CPU security features by writing to VM.platform keys. Setting nx=false removes DEP protection, hap=false forces shadow paging, nested-virt=true expands the hypervisor attack surface, and extreme max_grant_frames/max_maptrack_frames values cause resource exhaustion. The field has zero map_keys_roles entries - all security-critical hypervisor keys are writable by the lowest delegated management role."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0069"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0069", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0069", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0070", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0070"], "x_moksha_semantic_id": "VIOC-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Infrastructure Metadata Leak via SR-IOV VIF Xenstore Passthrough", "descriptions": [{"lang": "en", "value": "On XAPI-based hypervisors (XenServer, XCP-ng), arbitrary keys in VIF.other_config become visible to the guest VM via xenstore when the VIF is backed by an SR-IOV virtual function. The standard VIF path applies a 7-key whitelist filter (device.ml:827-829); the SR-IOV path (device.ml:978-1006) omits this filter entirely. Unfiltered keys are written to a guest-readable xenstore path (rwperm_for_guest). Infrastructure metadata written to other_config by administrators or automation tools is exposed to the guest, violating the assumption that other_config is host-internal."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0070"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0070", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0070", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0071", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0071"], "x_moksha_semantic_id": "NOC-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "OVS In-Band Management Disablement via Network.other_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable Open vSwitch in-band management on any OVS bridge by writing vswitch-disable-in-band=true to Network.other_config. The value flows through network_server.ml:1142-1155 to Ovs.create_bridge, which sets other_config:disable-in-band=true on the OVS bridge. Disabling in-band management severs SDN controller connectivity when no out-of-band path exists. The field has no map_keys_roles entries for infrastructure keys."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0071"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0071", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0071", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0072", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0072"], "x_moksha_semantic_id": "HOC-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "SR Scan Interval Manipulation via Host.other_config auto-scan-interval", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the SR scanning interval by writing an arbitrary float value to Host.other_config:auto-scan-interval. The value is read at xapi_sr.ml:166-168 with float_of_string and no range validation. Setting 0.001 causes continuous SR scanning (CPU/IO exhaustion); setting 999999999 effectively disables scanning (storage state blindness). The field has no map_keys_roles entries for infrastructure keys."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0072"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0072", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0072", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0073", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0073"], "x_moksha_semantic_id": "SOC-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "SR Destruction Protection Bypass and DoS via SR.other_config indestructible", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the indestructible key in SR.other_config to either block SR destruction (DoS - requires direct database manipulation to reverse) or remove destruction protection from a legitimately protected SR (security bypass). The assert_sr_not_indestructible function at xapi_sr.ml:433-442 checks this key before SR.destroy and SR.forget. No map_keys_roles protection exists for infrastructure keys."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0073"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0073", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0073", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0074", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0074"], "x_moksha_semantic_id": "SOC-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "GC and Coalesce Disablement via SR.other_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable garbage collection and VHD coalescing on any SR by setting gc=false and/or coalesce=false in SR.other_config. The SM garbage collector reads these keys at cleanup.py:2052 and cleanup.py:2090. When disabled, orphan VDIs accumulate consuming storage, and VHD chains grow unbounded degrading I/O performance until chain-length errors occur. The disablement is silent - no alert, no log, no expiration. The field has no map_keys_roles entries for infrastructure keys."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N", "baseScore": 6.9, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0074"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0074", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0074", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0075", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0075"], "x_moksha_semantic_id": "PLOC-7"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Memory Ratio Bounds Relaxation via Pool.other_config", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can relax memory ratio bounds for all VMs by writing extreme values to Pool.other_config:memory-ratio-hvm and memory-ratio-pv. These keys define the lower bound ratio for memory-dynamic-min relative to memory-static-max (default 0.25). Setting to 0 allows VMs to have near-zero dynamic minimum memory, causing guest OS instability or crashes pool-wide when the balloon driver reclaims memory. No range validation exists. The field has no map_keys_roles entries for infrastructure keys."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0075"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0075", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0075", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0076", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0076"], "x_moksha_semantic_id": "POC-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Network Offload Disablement via PIF.other_config ethtool Keys", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable NIC hardware offload features on any physical interface by writing ethtool-gro=off, ethtool-tso=off, etc. to PIF.other_config. These keys are consumed at nm.ml:45-110 and applied via xcp-networkd. Disabling offloads forces software packet processing, degrading performance for all VMs and management traffic. The ethtool-gro key overrides the PIF.properties:gro first-class field via a backward compatibility path. PIF.other_config has zero map_keys_roles entries and highest merge precedence in the other_config chain."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0076"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0076", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0076", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0077", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0077"], "x_moksha_semantic_id": "VIOC-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "VIF NIC Offload Disablement via VIF.other_config ethtool Keys", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disable NIC offload features (TSO, GSO, etc.) on VIF backend devices by setting ethtool-tso=off and similar keys in VIF.other_config. The VIF hotplug script (vif-real:85-97) executes ethtool -K to disable offloads. This forces host CPU to perform software segmentation, increasing CPU utilization and degrading performance for co-located VMs. VIF.other_config has zero map_keys_roles entries - all ethtool keys are writable by vm-admin."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0077"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0077", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0077", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0078", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0078"], "x_moksha_semantic_id": "DOC-6"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Guest Clock Manipulation via VDI.other_config timeoffset", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can manipulate the guest VM's RTC clock by setting the timeoffset key in VDI.other_config. When a VDI has on_boot=reset, the VDI-level timeoffset overrides the VM platform setting during domain creation (xapi_xenops.ml:312-327). No type validation enforces the expected integer format - arbitrary strings are accepted. Corrupted guest clock affects Windows license validation, certificate expiration, Kerberos authentication, and audit trail integrity. The field has no map_keys_roles entries for infrastructure keys."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 2.3, "baseSeverity": "LOW"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0078"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0078", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0078", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0079", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0079"], "x_moksha_semantic_id": "NOC-6"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Network Sharing Bypass via Network.other_config assume_network_is_shared", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can bypass network locality checks by setting assume_network_is_shared=true in Network.other_config. The key is checked at xapi_network_attach_helpers.ml:132-133. When set, XAPI treats the network as shared across all hosts regardless of actual PIF connectivity, allowing VMs to start on hosts without network infrastructure. This causes VIF attachment failures or silent connectivity loss. The field has no map_keys_roles entries for infrastructure keys."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.1, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0079"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0079", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0079", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0080", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0080"], "x_moksha_semantic_id": "SOC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "I/O Scheduler Sysfs Injection via SR.other_config scheduler", "descriptions": [{"lang": "en", "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can write an arbitrary string to the kernel I/O scheduler sysfs interface by setting the scheduler key in SR.other_config. The SM driver reads the value at SR.py:203-224 and passes it to util.set_scheduler, which writes it to /sys/block/*/queue/scheduler with zero XAPI-side validation. The kernel validates the value (rejecting unknown schedulers), limiting direct impact. The concern is the architectural pattern: user-controlled XAPI data flows directly to a kernel control interface. The field has no map_keys_roles entries for infrastructure keys."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.8, "baseSeverity": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.1, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0080"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0080", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0080", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0081", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0081"], "x_moksha_semantic_id": "BOC-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "I/O Polling Parameter Manipulation via VBD.other_config polling-duration", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VBD.other_config polling-duration and polling-idle-threshold to extreme values within the partially validated range. xenopsd applies these as I/O polling parameters without resource impact assessment. The accepted range includes values that produce suboptimal polling configurations, resulting in VBD performance degradation. The VBD.other_config field has zero map_keys_roles entries."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.1, "baseSeverity": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0081"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0081", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0081", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0082", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0082"], "x_moksha_semantic_id": "DOC-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "VDI Lifecycle Behavior Manipulation via VDI.other_config on_boot/cbt_enabled", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can modify VDI.other_config on_boot and cbt_enabled keys without validation. The on_boot key controls VDI reset-on-boot behavior, and cbt_enabled is an other_config mirror of the first-class CBT field read by SM drivers at VDI.py:831-837. Manipulation changes VDI persistence behavior (data loss on reboot) and change block tracking state. The VDI.other_config field has map_keys_roles entries only for UI keys."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.1, "baseSeverity": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0082"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0082", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0082", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0083", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0083"], "x_moksha_semantic_id": "HBP-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Boot Order Manipulation via VM.HVM_boot_params order", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set an arbitrary boot order string in VM.HVM_boot_params:order. The value is passed verbatim to QEMU as the -boot order argument at device.ml:3957-3958. XAPI performs no validation beyond replacing empty values with the default. QEMU ignores unrecognized characters, limiting impact to forcing PXE network boot when the attacker controls DHCP/PXE infrastructure. The field has zero map_keys_roles entries."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.1, "baseSeverity": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0083"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0083", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0083", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0084", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0084"], "x_moksha_semantic_id": "HBP-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Firmware Type Denial of Service via VM.HVM_boot_params firmware", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can disrupt VM boot by writing an invalid value to VM.HVM_boot_params:firmware or removing the key. XAPI accepts any value at write time but validates at VM start (xapi_xenops.ml:255-268), raising Server_error on invalid values. Firmware key removal causes BIOS fallback, rendering UEFI guests unbootable. The impact is limited because vm-admin already has VM.hard_shutdown capability. The field has zero map_keys_roles entries."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.1, "baseSeverity": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0084"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0084", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0084", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0085", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0085"], "x_moksha_semantic_id": "LPC-1"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Feature Restriction Bypass via Host.license_params restrict_* Keys", "descriptions": [{"lang": "en", "value": "An attacker with root access on an XAPI-based hypervisor host (XenServer, XCP-ng) can modify the XAPI database to set restrict_* keys in Host.license_params to false, enabling licensed features without a valid license. The field has the strongest access control in XAPI (_R_LOCAL_ROOT_ONLY, pool_internal, DynamicRO) and is not exposed via the network API. This is a license compliance issue - an attacker with root already has full system control."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.3, "baseSeverity": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 4.6, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0085"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0085", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0085", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0086", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0086"], "x_moksha_semantic_id": "LPC-2"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "License Expiry Manipulation via Host.license_params expiry", "descriptions": [{"lang": "en", "value": "An attacker with root access on an XAPI-based hypervisor host (XenServer, XCP-ng) can set the expiry key in Host.license_params to never or a far-future date, preventing license expiry enforcement and suppressing alerts. The license_check.ml code reads this value and treats never as no expiration. The field has the strongest XAPI access control (_R_LOCAL_ROOT_ONLY, pool_internal, DynamicRO). This is a license compliance issue - root access already grants full system control."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.3, "baseSeverity": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 4.6, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0086"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0086", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0086", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0087", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0087"], "x_moksha_semantic_id": "PLAT-3"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "QEMU Device Model Selection via VM.platform device-model (Limited by Whitelist)", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VM.platform:device-model to influence QEMU device model selection. A double whitelist limits impact: XAPI sanity_check (vm_platform.ml:38) validates against known profiles, and xenopsd Profile.of_string resolves to hardcoded binary paths. Unknown values default to Qemu_upstream_compat. The attacker cannot force an arbitrary QEMU binary. Impact is limited to selecting between three supported profiles. The field has zero map_keys_roles entries."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.3, "baseSeverity": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0087"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0087", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0087", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0088", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0088"], "x_moksha_semantic_id": "VQP-4"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Int64 Overflow in bytes_per_interval via VIF.qos_algorithm_params", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VIF.qos_algorithm_params kbps and timeslice_us values that cause Int64 overflow in the bytes_per_interval computation at device.ml:835-845. OCaml silently wraps on integer overflow, producing unexpected rate values. xenopsd bounds checking catches most overflow results, but edge cases where the wrapped value falls within the valid range produce rate limits unrelated to the configured kbps. The field has zero map_keys_roles entries."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.3, "baseSeverity": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Integer Overflow or Wraparound", "cweId": "CWE-190", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0088"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0088", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0088", "type": "equal"}]}]}
{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "MOKSHA-2026-0089", "assignerOrgId": "moksha.dk", "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. alternateIds contains GCVE cross-references (GNA #117) and will also carry MITRE CVE IDs if assigned.", "state": "PUBLISHED", "datePublished": "2026-04-24T06:00:00Z", "alternateIds": ["GCVE-117-2026-0089"], "x_moksha_semantic_id": "VQP-5"}, "containers": {"cna": {"providerMetadata": {"orgId": "moksha.dk", "shortName": "Moksha", "dateUpdated": "2026-04-24T06:00:00Z"}, "title": "Raw kbps Value Exposure in Private Xenstore via VIF.qos_algorithm_params", "descriptions": [{"lang": "en", "value": "A vm-admin in XAPI-based hypervisors (XenServer, XCP-ng) can set VIF.qos_algorithm_params:kbps, which xenopsd writes as a raw Int64.to_string value to the VIF private xenstore path at device.ml:920-927. While Int64.to_string prevents path injection, the raw user-controlled rate values are readable by dom0 processes without provenance tracking. Dom0 tools consuming VIF private xenstore data cannot distinguish between system-generated and attacker-supplied values. The field has zero map_keys_roles entries."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.3, "baseSeverity": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "affected": [{"vendor": "Cloud Software Group", "product": "XenServer", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}, {"vendor": "Vates", "product": "XCP-ng", "versions": [{"status": "affected", "version": "all", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://cna.moksha.dk/MOKSHA-2026-0089"}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Wolffhechel, Moksha"}]}}, "x_gcve": [{"vulnId": "GCVE-117-2026-0089", "recordType": "advisory", "relationships": [{"destId": "MOKSHA-2026-0089", "type": "equal"}]}]}