Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54287.json",
"cna_assigner": "canonical",
"cwe_ids": [
"CWE-1336"
]
}{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "6.0"
},
{
"fixed": "6.5"
},
{
"introduced": "5.21"
},
{
"fixed": "5.21.4"
}
]
}