PatchSiren

Proxmox CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

Review Proxmox CVE published 2026-07-17

CVE-2026-51083

CVE-2026-51083 is a vulnerability in Proxmox Virtual Environment (PVE) 9.x qemu-server before 9.1.8 and 8.x before 8.4.8. The issue is related to incorrect access control, which allows users with limited privileges to obtain hashed passwords via the cloudinit/dump API. This vulnerability has a high impact on the confidentiality of the system, as it allows unauthorized access to sensitive information. The [truncated]

Review Proxmox CVE published 2026-07-17

CVE-2026-51082

CVE-2026-51082 is a race condition vulnerability between the vncproxy and vncwebsocket API calls in Proxmox Virtual Environment (PVE) 9.x pve-manager 9.1.x before 9.1.9 and 8.4.x before 8.4.19; qemu-server 9.1.x before 9.1.7 and 8.4.x before 8.4.7; and pve-container 6.1.x before 6.1.3 and 5.3.x before 5.3.4. An attacker with privileges to call 'vncproxy' can hijack a VNC session established in parallel by [truncated]

Review Proxmox CVE published 2026-07-17

CVE-2026-51080

libpvestorage-perl v9.1.1 and libpve-storage-perl v8.3.7 were discovered to contain an XML External Entity (XXE) vulnerability. This issue may allow attackers to exploit the vulnerability, potentially leading to security risks. The vulnerability has a medium priority due to the potential for XXE exploitation. Users of libpvestorage-perl v9.1.1 and libpve-storage-perl v8.3.7 should assess the risk of this [truncated]