VDB

DEBIAN-CVE-2026-35386

DEBIAN-CVE-2026-35386 PUBLISHED CVSS 8.100000381469727 HIGH

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

Risk Scores

CVSS 3.1
8.100000381469727
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Debian:12openssh*, 0, 1:10.0p1-2
Debian:14openssh10.3, 0, 1:10.0p1-7
Debian:13openssh1:10.2p1-2~bpo13+1, 1:10.2p1-3, 1:10.2p1-5
Debian:11openssh*, *, *

Exploit Intelligence

Timeline

  • Apr 2, 2026 CVE Published
  • May 16, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›