CVSS: 4.2EPSS: %CPEs: 1EXPL: 0CVE-2026-35414
https://notcve.org/view.php?id=CVE-2026-35414
02 Apr 2026 — OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. • https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 2.5EPSS: %CPEs: 1EXPL: 0CVE-2026-35388
https://notcve.org/view.php?id=CVE-2026-35388
02 Apr 2026 — OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. • https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2 • CWE-420: Unprotected Alternate Channel •
CVSS: 3.1EPSS: %CPEs: 1EXPL: 0CVE-2026-35387
https://notcve.org/view.php?id=CVE-2026-35387
02 Apr 2026 — OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. • https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 3.6EPSS: %CPEs: 1EXPL: 0CVE-2026-35386
https://notcve.org/view.php?id=CVE-2026-35386
02 Apr 2026 — In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. • https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2 • CWE-696: Incorrect Behavior Order •
CVSS: 7.5EPSS: %CPEs: 1EXPL: 0CVE-2026-35385
https://notcve.org/view.php?id=CVE-2026-35385
02 Apr 2026 — In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). • https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2 • CWE-281: Improper Preservation of Permissions •
CVSS: 3.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-61984 – SUSE Security Advisory - SUSE-SU-2025:4067-1
https://notcve.org/view.php?id=CVE-2025-61984
06 Oct 2025 — ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.) This update for openssh fixes the following issues. Code execution via control characters in usernames when a ProxyCommand... • https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2 • CWE-159: Improper Handling of Invalid Use of Special Elements •
CVSS: 3.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-61985 – SUSE Security Advisory - SUSE-SU-2025:4067-1
https://notcve.org/view.php?id=CVE-2025-61985
06 Oct 2025 — ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. This update for openssh fixes the following issues. Fixed code execution via control characters in usernames when a ProxyCommand is used. Fixed code execution via '\0' character in ssh:// URI when a ProxyCommand is used. • https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2 • CWE-158: Improper Neutralization of Null Byte or NUL Character •
CVSS: 8.1EPSS: 42%CPEs: 54EXPL: 109CVE-2024-6387 – Openssh: regresshion - race condition in ssh allows rce/dos
https://notcve.org/view.php?id=CVE-2024-6387
01 Jul 2024 — A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. Se encontró una condición de ejecución del controlador de señales en el servidor de OpenSSH (sshd), donde un cliente no se autentica dentro de los segundos de LoginGraceTime (120 de forma predeterminada, 600 en versiones anter... • https://packetstorm.news/files/id/179290 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-364: Signal Handler Race Condition •
CVSS: 6.5EPSS: 16%CPEs: 4EXPL: 23CVE-2023-51385 – openssh: potential command injection via shell metacharacters
https://notcve.org/view.php?id=CVE-2023-51385
18 Dec 2023 — In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. En ssh en OpenSSH anterior a 9.6, la inyección de comandos del sistema operativo puede ocurrir si un nombre de usuario o nombre de host tiene metacaracteres de shell, y un token de expansión hace referenci... • https://github.com/WOOOOONG/CVE-2023-51385 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 56%CPEs: 79EXPL: 5CVE-2023-48795 – ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
https://notcve.org/view.php?id=CVE-2023-48795
18 Dec 2023 — The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phas... • https://packetstorm.news/files/id/176280 • CWE-222: Truncation of Security-relevant Information CWE-354: Improper Validation of Integrity Check Value •