VDB
CVE-2026-35386
CVE-2026-35386
PUBLISHED
CVSS 3.6 LOW
Reported by mitre · Published April 2, 2026
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
Risk Scores
CVSS v3.1
3.6
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| OpenBSD | OpenSSH | 0 |
| OpenBSD | OpenSSH | 0 |
| openbsd | openssh | 0 |
Timeline
- Apr 2, 2026 CVE Published
- Apr 2, 2026 CVE Updated
- Apr 2, 2026 PoC Published
- Apr 2, 2026 PoC Published
- Apr 2, 2026 PoC Published
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 4, 2026 Distribution Patch
- May 4, 2026 Security Advisory
- May 4, 2026 Distribution Patch
- May 4, 2026 Security Advisory
- May 5, 2026 Distribution Patch