GHSA-9p3w-rm2q-9gxc

GHSA-9p3w-rm2q-9gxc PUBLISHED CVSS 5 MEDIUM

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

Risk Scores

CVSS 3.0

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Exploit Intelligence

8051-2.json (github-poc)

Timeline

Mar 26, 2026 CVE Published
Mar 27, 2026 CVE Updated
Apr 10, 2026 Security Advisory

References

https://nvd.nist.gov/vuln/detail/CVE-2026-0964 advisory
https://access.redhat.com/security/cve/CVE-2026-0964 url
https://bugzilla.redhat.com/show_bug.cgi?id=2436979 url
https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases url

Open in Interactive Console →