Multiple Vulnerabilities Disclosed in Proxmox Virtual Environment
German CERT published two advisories affecting Proxmox Virtual Environment (PVE), including one issue that can lead to information disclosure and a later notice covering multiple vulnerabilities in the virtualization platform. The advisories, 2026-1012 and 2026-1243, indicate that organizations running Proxmox should review exposed management infrastructure and assess whether sensitive data or administrative functions could be affected.
The notices provide limited public detail, but the combination of an information disclosure flaw and additional unspecified weaknesses raises concern for enterprises using Proxmox to host virtual machines and manage clustered infrastructure. Security teams should identify all PVE deployments, monitor vendor and CERT updates for affected versions and patches, and prioritize remediation or compensating controls on internet-reachable or business-critical systems.
Timeline
Apr 24, 2026
dCERT publishes Proxmox VE multiple vulnerabilities advisory 2026-1243
dCERT published advisory 2026-1243 for Proxmox Virtual Environment covering multiple vulnerabilities, indicating additional or broader security issues were disclosed.
Apr 9, 2026
dCERT publishes Proxmox VE information disclosure advisory 2026-1012
dCERT published advisory 2026-1012 for Proxmox Virtual Environment describing a vulnerability that allows information disclosure.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Multiple Flaws in Proxmox VE and Mail Gateway Enable XSS, DoS, and Privilege Escalation
Researchers disclosed three vulnerabilities affecting **Proxmox Virtual Environment (PVE)** and **Proxmox Mail Gateway (PMG)**, including a post-authentication reflected XSS in PVE’s API Inspector, a CRLF injection flaw in HTTP error handling, and a post-authentication SSRF plus arbitrary file-read issue shared across both products. The XSS bug, tracked as `CVE-2022-31358`, could let an authenticated attacker run JavaScript in a logged-in administrator’s browser and potentially abuse exposed web UI functions to execute actions on the host. The CRLF injection issue could be exploited in Chromium-based browsers to inject headers and trigger a client-side denial of service by forcing oversized cookie headers that lock users out of the web interface. The most serious finding was a bug chain in PVE and PMG that allowed low-privileged authenticated users to abuse SSRF and arbitrary file read; in PMG, attackers could also access backup archives containing the authentication private key, forge valid tickets, and escalate privileges to **`root@pam`**. MITRE assigned `CVE-2022-35507` and `CVE-2022-35508` to the latter flaws. Proxmox addressed the XSS in **`pve-http-server` 4.1-2** and patched the CRLF injection and SSRF-related issues in **`pve-http-server` 4.1-3**.
2 weeks ago
QEMU Flaws Enable Denial of Service, Information Disclosure, and Data Manipulation
German government CERT advisories disclosed multiple **QEMU** vulnerabilities that affect virtualized environments and could let attackers trigger **denial of service**, expose sensitive information, and in one case manipulate data. One advisory describes a flaw leading to service disruption and information disclosure, while a later notice expands the impact to include **data manipulation**, indicating broader risk to guest or host operations depending on deployment and exposure. The advisories identify QEMU as the affected component and warn that organizations relying on the emulator and virtualization stack may face risks to **availability**, **confidentiality**, and **integrity**. Operators of cloud, server, and lab environments using QEMU should review the relevant vendor guidance and apply available updates or mitigations to reduce the chance of exploitation against virtual machines and supporting infrastructure.
3 weeks ago
Xen Advisories Disclose Linux Guest Kernel Flaws Enabling Privilege Escalation
Xen has disclosed two Linux guest kernel vulnerabilities affecting virtualized environments, warning that both issues require patching and have no known mitigations. **CVE-2026-31786** (`XSA-485`) affects Linux kernels **4.13 and later** in Xen domains through unsafe handling of the binary build ID exposed at `/sys/hypervisor/properties/buildid`. The bug uses `sprintf()` on a non-null-terminated binary value, which can trigger an out-of-bounds read and, in rare cases, a write past the 4 KB sysfs buffer, potentially leading to **information disclosure, denial of service, or privilege escalation** inside Linux Xen guests. A second advisory, **CVE-2026-31787** (`XSA-487`), describes a **double-free** flaw in the Linux **Xen `privcmd` driver** that allows a **root user in a Linux guest** to bypass kernel lockdown protections tied to secure boot. Xen said the issue affects Linux **PVH or HVM domains** on **x86 and Arm** from kernel **3.8 onward**, while PV domains and non-Linux guests are not affected. The vulnerabilities were reported by **Frediano Ziglio of XenServer** and **Atharva Vartak (@0xAth4rv)**, respectively, and Xen urged operators to apply the supplied Linux patches.
5 days ago