Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:apk/alpine/podman@0?arch=x86_64&distroversion=edge&reponame=community
Typeapk
Namespacealpine
Namepodman
Version0
Qualifiers
arch x86_64
distroversion edge
reponame community
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version1.8.1-r0
Latest_non_vulnerable_version5.7.0-r0
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-24jj-m523-3bdr
vulnerability_id VCID-24jj-m523-3bdr
summary 
PowerShell Command Injection in Podman HyperV Machine
## Summary

A command injection vulnerability exists in Podman's HyperV machine backend. The VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing `$()` subexpression injection.

## Affected Code

**File**: `pkg/machine/hyperv/stubber.go:647`

```go
resize := exec.Command("powershell", []string{
    "-command",
    fmt.Sprintf("Resize-VHD \"%s\" %d", imagePath.GetPath(), newSize.ToBytes()),
}...)
```



## Root Cause

PowerShell evaluates `$()` subexpressions inside double-quoted strings before executing the outer command. The `fmt.Sprintf` call places the user-controlled image path directly into double quotes without escaping or sanitization.

## Impact

An attacker who can control the VM image path (through a crafted machine name or image directory) can execute arbitrary PowerShell commands with the privileges of the Podman process on the Windows host. On typical Windows installations, this means SYSTEM-level code execution.


## Patch

https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed

The affected code is only used on Windows, all other operating systems are not affected by this and can thus ignore the CVE patch.

## Credit

We like to thank Sang-Hoon Choi (@KoreaSecurity) for reporting this issue to us.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33414.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33414.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33414
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02219
published_at 2026-04-24T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.07772
published_at 2026-04-18T12:55:00Z
2
value 0.00028
scoring_system epss
scoring_elements 0.07789
published_at 2026-04-16T12:55:00Z
3
value 0.00039
scoring_system epss
scoring_elements 0.11796
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33414
2
reference_url https://github.com/containers/podman
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/containers/podman
3
reference_url https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed
reference_id
reference_type
scores
0
value 4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value 4.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:57:01Z/
url https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed
4
reference_url https://github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59
reference_id
reference_type
scores
0
value 4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value 4.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:57:01Z/
url https://github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33414
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33414
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2458522
reference_id 2458522
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2458522
7
reference_url https://access.redhat.com/errata/RHSA-2026:8211
reference_id RHSA-2026:8211
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8211
fixed_packages
0
url pkg:apk/alpine/podman@0?arch=x86_64&distroversion=edge&reponame=community
purl pkg:apk/alpine/podman@0?arch=x86_64&distroversion=edge&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/podman@0%3Farch=x86_64&distroversion=edge&reponame=community
aliases CVE-2026-33414, GHSA-hc8w-h2mf-hp59
risk_score 4.0
exploitability 0.5
weighted_severity 7.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-24jj-m523-3bdr
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:apk/alpine/podman@0%3Farch=x86_64&distroversion=edge&reponame=community