CVE-2026-25077 is a high-severity OS command injection vulnerability (CVSS 8.8) in the KVM hypervisor’s template registration workflow that allows any authenticated account user to execute arbitrary code on the hypervisor host by supplying a crafted file name in a malicious template. Successful exploitation breaks VM isolation entirely, compromising all guest VMs on the affected host. Patch availability must be confirmed via NVD and the GitHub Security Advisory; no public exploit code has been confirmed in source data.