Skip to content

CloudStack

Cloud Management

Open source Infrastructure as a Service (IaaS) platform for deploying and managing large networks of virtual machines across multiple hypervisors

Track releases GitHub Website
Java Latest 4.22.1.0 · 8d ago Security brief →

Features

  • Deploys and manages large-scale virtual machine fleets
  • Supports major hypervisors: VMware vSphere, KVM, XenServer, XenProject, Hyper‑V, OVM, LXC containers
  • Provides full IaaS stack: compute orchestration, Network-as-a-Service, user/account management, native API, UI, and resource accounting

Security Response History

9 CVEs
CVE Severity Disclosed Patched (this tool) vs Ecosystem Median
CVE-2025-24813 KEV critical
CVSS 9.8
 2025-04-01 2025-06-10 2mo / median 9mo
CVE-2023-44487 KEV medium
CVSS 7.5
 2023-10-10 2025-06-10 1y 8mo / median 2y 3mo
CVE-2021-45046 KEV critical
CVSS 9.0
 2023-05-01 2025-06-10 2y 1mo / median 2y 9mo
CVE-2021-39144 KEV high
CVSS 8.5
 2023-03-10 2025-06-10 2y 3mo / median 2y 10mo
CVE-2022-22965 KEV critical
CVSS 9.8
 2022-04-04 2025-06-10 3y 2mo / median 3y 10mo
CVE-2017-12617 KEV high
CVSS 8.1
 2022-03-25 2025-06-10 3y 3mo / median 3y 10mo
CVE-2017-12615 KEV high
CVSS 8.1
 2022-03-25 2025-06-10 3y 3mo / median 3y 10mo
CVE-2020-1938 KEV critical
CVSS 9.8
 2022-03-03 2025-06-10 3y 3mo / median 3y 10mo
CVE-2021-44228 KEV critical
CVSS 10.0
 2021-12-10 2025-06-10 3y 6mo / median 4y 2mo

Recent releases

View all 8 releases →
4.22.0.1 Security relevant patches CVE-2017-12615 patches CVE-2017-12617 patches CVE-2020-1938 +6 more
Security fixes
  • CVE-2025-66170 — Low severity: any user can list backups they should not access.
  • CVE-2025-66171 — Important severity: any user can create a VM from unauthorized backups.
  • CVE-2025-66172 — Important severity: any user can attach volumes from unauthorized backups.
Full changelog

This is a security release that fixes the following on top of the 4.22.0.1 release:

CVE-2025-66170 Any user can list backups that they should not have access to. (severity 'Low')
CVE-2025-66171 Any user can create a new VM from backups they should not have access to (severity 'Important')
CVE-2025-66172 Any user can attach a volume in their VMs from backups they should not have access to (severity 'Important')
CVE-2025-66467 MinIO policy remains intact on bucket deletion (severity 'Important')
CVE-2025-69233 Domain/account resources limits not honored (severity 'Moderate')
CVE-2026-25077 Unauthenticated Command Injection in Direct Download Templates (severity 'Important')
CVE-2026-25199 Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access(severity 'Moderate')

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.20.3.0-4.22.0.1/

Release notes: https://docs.cloudstack.apache.org/en/4.22.0.1/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.22.0.1/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.22.0.1/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.22.0.1/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.22

View release on GitHub
4.20.1.0 Security relevant
Security fixes
  • CVE-2025-26521: CKS cluster exposes user API keys
  • CVE-2025-30675: Unauthorized template/ISO list access to domain/resource admins
  • CVE-2025-47713: Domain Admin password reset in Root Domain
View release on GitHub
4.19.3.0 Security relevant
Security fixes
  • CVE-2025-26521: CKS cluster exposes user API keys
  • CVE-2025-30675: Unauthorized template/ISO list access to domain/resource admins
  • CVE-2025-47713: Domain Admin password reset in Root Domain
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
2,939
Forks
1,327
Languages
Java Python Vue
View on GitHub Homepage Live demo Documentation

Similar tools

LocalStack
openstack-kr/python-openstackmcp-server
traefik
Eclipse Che
convoy

Beta — feedback welcome: [email protected]