CVE-2026-33897: Incus vulnerable to arbitrary file read and write through pongo templates

March 27, 2026

Instance template files can be used to cause arbitrary read or writes as root on the host server.

References

github.com/advisories/GHSA-83xr-5xxr-mh92
github.com/lxc/incus
github.com/lxc/incus/commit/487edf5984fad89b0f762c03a7e211fdd38396fb
github.com/lxc/incus/security/advisories/GHSA-83xr-5xxr-mh92
nvd.nist.gov/vuln/detail/CVE-2026-33897

Code Behaviors & Features

Detect and mitigate CVE-2026-33897 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →