CVE-2026-51080
Proxmox · libpve-storage-perl
The Proxmox libpve-storage-perl library contains an XML External Entity (XXE) vulnerability that could lead to unauthorized data disclosure or service disruption.
Executive summary
An XML External Entity (XXE) vulnerability in Proxmox libpve-storage-perl poses a critical risk of data compromise and unauthorized system access.
Vulnerability
This is an XXE vulnerability occurring within the Perl-based storage management library. It allows an unauthenticated attacker to process malicious XML input to perform unauthorized file access or initiate server-side request forgery.
Business impact
The ability to exploit XXE can lead to the exposure of sensitive configuration files, internal system credentials, or the unauthorized interaction with internal network services. Given the CVSS score of 9.8, this vulnerability must be treated as a high-priority risk to the security of the virtualization infrastructure.
Remediation
Immediate Action: Apply the latest security updates provided by Proxmox for the affected library versions.
Proactive Monitoring: Monitor system logs for unusual XML-related errors or unexpected outbound network requests originating from the storage management services.
Compensating Controls: Utilize a Web Application Firewall or network inspection tools to identify and block malicious XML payloads targeting the storage API.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Organizations utilizing Proxmox Virtual Environment should verify their versions of libpve-storage-perl and apply the vendor-supplied patches immediately. Failure to address this flaw could allow attackers to bypass security boundaries and access sensitive data within the virtualization host.