Alpine: multiple incus packages: security update to 6.0.6-r0

critical Tenable Cloud Security Plugin ID 438878

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker
to create and start container instances without user consent via crafted HTML form submissions exploiting
client certificate authentication. (CVE-2025-54286)

- Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker
with instance configuration permissions to read arbitrary files on the host system via specially crafted
snapshot pattern templates using the Pongo2 template engine. (CVE-2025-54287)

- Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms
allows attackers with root privileges within any container to impersonate other containers and obtain
their metadata, configuration, and device information via spoofed process names in the command line.
(CVE-2025-54288)

- Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with
read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket
connection hijacking format (CVE-2025-54289)

Solution

Update the incus library and its related packages to version 6.0.6-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2025-54286

https://security.alpinelinux.org/vuln/CVE-2025-54287

https://security.alpinelinux.org/vuln/CVE-2025-54288

https://security.alpinelinux.org/vuln/CVE-2025-54289

https://security.alpinelinux.org/vuln/CVE-2025-54290

https://security.alpinelinux.org/vuln/CVE-2025-54291

https://security.alpinelinux.org/vuln/CVE-2025-54293

https://security.alpinelinux.org/vuln/CVE-2025-64507

https://security.alpinelinux.org/vuln/CVE-2026-28384

Plugin Details

Severity: Critical

ID: 438878

Version: Revision 1.7

Type: Local

Published: 3/17/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.63

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-54286

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.4

Threat Score: 8.6

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS Score Source: CVE-2026-28384

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 10/2/2025

Reference Information

CVE: CVE-2025-54286, CVE-2025-54287, CVE-2025-54288, CVE-2025-54289, CVE-2025-54290, CVE-2025-54291, CVE-2025-54293, CVE-2025-64507, CVE-2026-28384