CVE-2026-33414: PowerShell Command Injection in Podman HyperV Machine

April 14, 2026 (updated April 27, 2026)

A command injection vulnerability exists in Podman’s HyperV machine backend. The VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection.

References

github.com/advisories/GHSA-hc8w-h2mf-hp59
github.com/containers/podman
github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed
github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59
nvd.nist.gov/vuln/detail/CVE-2026-33414

Code Behaviors & Features

Detect and mitigate CVE-2026-33414 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →