← Main disclosure FAQ Rationale

Disclosure timeline

Dates, actions, responses. This page will be updated as new events occur.

Research phase

DateEvent
2026-02-11First PoC execution (BOC-1 arbitrary host device mount). Evidence log timestamped.
2026-02 to 2026-049-week systematic audit of all 18 writable Map(String,String) fields across 8 XAPI object types. 89 independently exploitable vulnerabilities identified, 154 PoC scripts written (124 Python on shared framework + 30 shell), 206 evidence logs captured.

Pre-release notifications

DatePartyActionResponse
2026-04-09MITRECVE reservations submitted for 89 findingsNo response
2026-04-09Legal counselContacted cybersecurity lawyerResponded 2026-04-17
2026-04-17Legal counselFirst substantive response: case assigned to cybersecurity specialistMeeting scheduled
2026-04-18GCVE / CIRCLGCVE allocation requestNo response (pre-release)
2026-04-18ENISANotificationNo response
2026-04-18DIVDNotificationNo response (pre-release)
2026-04-21Legal counselMeeting with cybersecurity lawyerCompleted
2026-04-23CERT/CCNotification (ref gen-55566)Acknowledged; ticket closed same day
2026-04-23Vates (XCP-ng)Conditional patch offer sent to CEO + security teamNo acknowledgment before release
-Citrix / Cloud Software GroupNot contacted pre-release-

Public disclosure

DateEvent
2026-04-24 08:00 CESTPublic disclosure at shittrix.moksha.dk
2026-04-2489 MOKSHA advisories published at cna.moksha.dk (markdown + CVE JSON 5.1)

Post-release engagement

DateEventStatus
2026-04-24First CSIRT requests received (IDS rules and PoC access)Active
2026-04-25First CSIRT package distributed (national CSIRT, via Signal)Delivered
2026-04-26Updated CSIRT package distributed (fixed PoC import references)Delivered
2026-04-27IDS detection packages distributed to requesting organisationsDelivered
2026-04-2742 Sigma YAML rules added to CSIRT and IDS packagesShipped
2026-04-28DIVD responded (followed up on original 2026-04-18 notification)Active
2026-04-28Continued IDS distribution to requesting industry organisationsOngoing
2026-04-28Moksha approved as GCVE Numbering Authority #117 (GNA #117)Approved

Response summary

PartyContactedResponse
Legal counsel2026-04-09Meeting completed 2026-04-21
MITRE2026-04-09No response (19 days and counting)
GCVE / CIRCL2026-04-18GNA #117 approved 2026-04-28
ENISA2026-04-18No response
DIVD2026-04-18Responded 2026-04-28
CERT/CC2026-04-23Acknowledged and closed same day
Vates (XCP-ng)2026-04-23No acknowledgment
Citrix / CSGNot contacted-
National CSIRTs2026-04-24+Active engagement
Industry / ISPs2026-04-27+IDS packages distributed on request
Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · shittrix.moksha.dk