CVE-2026-51083 is a vulnerability in Proxmox Virtual Environment (PVE) 9.x qemu-server before 9.1.8 and 8.x before 8.4.8. The issue is related to incorrect access control, which allows users with limited privileges to obtain hashed passwords via the cloudinit/dump API. This vulnerability has a high impact on the confidentiality of the system, as it allows unauthorized access to sensitive information. The [truncated]
CVE-2026-51082 is a race condition vulnerability between the vncproxy and vncwebsocket API calls in Proxmox Virtual Environment (PVE) 9.x pve-manager 9.1.x before 9.1.9 and 8.4.x before 8.4.19; qemu-server 9.1.x before 9.1.7 and 8.4.x before 8.4.7; and pve-container 6.1.x before 6.1.3 and 5.3.x before 5.3.4. An attacker with privileges to call 'vncproxy' can hijack a VNC session established in parallel by [truncated]
libpvestorage-perl v9.1.1 and libpve-storage-perl v8.3.7 were discovered to contain an XML External Entity (XXE) vulnerability. This issue may allow attackers to exploit the vulnerability, potentially leading to security risks. The vulnerability has a medium priority due to the potential for XXE exploitation. Users of libpvestorage-perl v9.1.1 and libpve-storage-perl v8.3.7 should assess the risk of this [truncated]