XCP-ng vulnerabilities: How to find impacted assets

An April 2026 audit claimed 89 exploitable input-validation flaws across XAPI object fields affecting XCP-ng, Citrix XenServer/Hypervisor and XAPI-based distributions, asserting potential host filesystem read/write, cross-VM data exfiltration, and pool-wide compromise by users with the vm-admin role. Upstream and downstream vendors investigated and issued XSA/XCP-ng advisories, concluding only five of the 89 claims were actionable and publishing fixes for several confirmed CVEs (including DoS, kernel info-leak, grant-table race leading to possible hypervisor escalation, and an AMD CPU mitigation). Administrators are advised to assess exposed systems and upgrade to the patched packages (notably XCP-ng 8.3 xen-4.17.6-6.2.xcpng8.3 or later) while recognizing that some older EOL releases may remain unpatched.