CVE-2026-28384— LXD 安全漏洞

Authenticated RCE via unsanitized compression_algorithm

An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.

N/A

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

LXD 安全漏洞

LXD是Canonical开源的一款基于Linux系统用于管理应用程序的容器。 LXD 4.12至6.6版本存在安全漏洞，该漏洞源于对compression_algorithm参数清理不当，可能导致经过身份验证的非特权用户通过API调用执行LXD守护进程命令。

N/A

N/A