Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

Vulnerability IntelligenceCVE-2026-0964

CVE-2026-0964

MEDIUM5.0

Libssh: improper sanitation of paths received from scp servers

Published Mar 26, 2026

Modified 3 days ago

Details

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences.

This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

References

https://access.redhat.com/security/cve/CVE-2026-0964

https://bugzilla.redhat.com/show_bug.cgi?id=2436979

https://www.cve.org/CVERecord?id=CVE-2026-0964

https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/

CVSS Analysis

CVSS v3.0

5.0

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

NonePR:N

User Interaction

RequiredUI:R

Scope

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

LowA:L

5/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Weakness Type (CWE)

Input Validation

Ecosystems

Timeline

PublishedMar 26, 2026

ModifiedApr 18, 2026

CVE-2026-0964 | Mondoo Vulnerability Intelligence