github.com/canonical/lxd
govv0.0.0-20260429074013-a2cf2557db3dPowerful system container and virtual machine manager
License AGPL-3.0network copyleft0 versions462 maintainers0 deps4,732 weekly dl
canonical/lxd45
/ 100
Health
do not use
github.com/canonical/lxd has critical vulnerabilities — do not use
Update to >= 0.0.0-20250827065555-0494f5d47e41 to fix known vulnerabilities
- 4 high severity vulnerabilities
- 3 critical vulnerabilities
Health breakdown0 – 100
25/25
maintenance
6/20
popularity
0/25
security
9/15
maturity
5/15
community
Vulnerabilities
24
3 critical4 high4 medium13 low
Advisories (24)
| Severity | ID | Summary | Fixed in |
|---|---|---|---|
| high | GO-2025-4121 | LXD vulnerable to a local privilege escalation through custom storage volumes | 0.0.0-20251110144034-698854d0164f |
| high | CVE-2025-54289 | Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API | 0.0.0-20250827065555-0494f5d47e41 |
| high | CVE-2025-54293 | Canonical LXD Path Traversal Vulnerability in Instance Log File Retrieval Function | 0.0.0-20250224180022-ec09b24179f3 |
| low | CVE-2024-6156 | lxd CA certificate sign check bypass | 0.0.0-20240708073652-5a492a3f0036 |
| medium | CVE-2025-54288 | Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server | 0.0.0-20250827065555-0494f5d47e41 |
| critical | CVE-2026-34179 | LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin | — |
| medium | CVE-2026-3351 | lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints | 0.0.0-20260224152359-d936c90d47cf |
| critical | CVE-2026-34177 | LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf | — |
| low | CVE-2024-6219 | lxd has a restricted TLS certificate privilege escalation when in PKI mode | 0.0.0-20240403103450-0e7f2b5bf4d2 |
| medium | CVE-2025-54290 | Canonical LXD Project Existence Determination Through Error Handling in Image Export Function | 0.0.0-20250827065555-0494f5d47e41 |
| high | CVE-2025-54286 | Canonical LXD CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI | 0.0.0-20250827065555-0494f5d47e41 |
| critical | CVE-2026-34178 | LXD: Importing a crafted backup leads to project restriction bypass | — |
| low | GHSA-x9qq-236j-gj97 | Canonical LXD documentation improvement to make clear restricted.devices.disk=allow without restricted.devices.disk.paths also allows shift=true | 0.0.0-20240118092008-ce1bd0dd37bb |
| medium | CVE-2025-54291 | Canonical LXD Project Existence Determination Through Error Handling in Image Get Function | 0.0.0-20250827065555-0494f5d47e41 |
| unknown | CVE-2024-6156 | CA certificate sign check bypass in github.com/canonical/lxd | 0.0.0-20240708073652-5a492a3f0036 |
| unknown | CVE-2024-6219 | Restricted TLS certificate privilege escalation when in PKI mode in github.com/canonical/lxd | 0.0.0-20240403103450-0e7f2b5bf4d2 |
| unknown | CVE-2025-54289 | Privilege Escalation via WebSocket Connection Hijacking in Operations API in github.com/canonical/lxd | — |
| unknown | CVE-2025-54293 | Canonical LXD Path Traversal Vulnerability in Instance Log File Retrieval Function in github.com/canonical/lxd | 0.0.0-20250224180022-ec09b24179f3 |
| unknown | CVE-2025-54288 | Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server in github.com/canonical/lxd | 0.0.0-20250827065555-0494f5d47e41 |
| unknown | CVE-2025-54290 | Canonical LXD Project Existence Determination Through Error Handling in Image Export Function in github.com/canonical/lxd | 0.0.0-20250827065555-0494f5d47e41 |
... and 4 more
Health History
Dependency Tree
License Audit
API access
Get this data programmatically — free, no authentication.
curl https://depscope.dev/api/check/go/github.com/canonical/lxdLast updated · 2026-04-29T07:40:13Z