CVE-2026-0964

5.0 MEDIUM

Published: March 26, 2026 Modified: March 30, 2026

Description

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://access.redhat.com/security/cve/CVE-2026-0964

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2436979

Source: secalert@redhat.com

https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/

Source: secalert@redhat.com

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

5.0 / 10.0

EPSS (Exploit Probability)

0.0%

10th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-22

Related CVEs

CVE-2026-41304 N/A

CVE-2026-41144 N/A

CVE-2026-41136 N/A

CVE-2026-41135 7.5

CVE-2026-41133 8.8