These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2025-66172 is an access-control flaw in the CloudStack Backup plugin affecting versions 4.21.0.0 and 4.22.0.0. An authenticated user with access to the relevant APIs can restore a volume from another user's backups and attach that volume to their own VMs, creating a cross-tenant authorization break with high confidentiality and integrity impact.
CVE-2025-66171 is an access-control issue in the Apache CloudStack Backup plugin affecting versions 4.21.0.0 and 4.22.0.0. According to the supplied advisory text, an authenticated user with access to specific APIs in an environment where the plugin is enabled can create new VMs from backups belonging to other users. Apache recommends upgrading to CloudStack 4.22.0.1 to resolve the issue.
CVE-2025-66170 describes an improper authorization logic issue in the CloudStack Backup plugin. In affected versions 4.21.0.0 and 4.22.0.0, an authenticated user-account with access to specific APIs may be able to list backups belonging to other accounts in the same environment. The advisory notes that backup contents are not exposed, but backup metadata and account association can still leak across tenan [truncated]
CVE-2026-34757 describes a memory-safety flaw in libpng’s metadata handling APIs. If code passes a pointer returned by png_get_PLTE, png_get_tRNS, or png_get_hIST back into the matching setter on the same png_struct/png_info pair, the setter can free the internal buffer first and then read from the now-dangling pointer. That can silently corrupt chunk metadata or copy stale heap data into the replacement [truncated]