Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1068121?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1068121?format=api", "purl": "pkg:deb/debian/openssh@1:10.0p1-7%2Bdeb13u2", "type": "deb", "namespace": "debian", "name": "openssh", "version": "1:10.0p1-7+deb13u2", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "1:10.2p1-2~bpo13+1", "latest_non_vulnerable_version": "1:10.3p1-1", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349222?format=api", "vulnerability_id": "VCID-792n-jkzj-qqhd", "summary": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35385.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35385.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35385", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.1055", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10687", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11705", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11716", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11771", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11782", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11743", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11718", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.1158", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11582", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35385" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35385", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35385" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132572", "reference_id": "1132572", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132572" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454469", "reference_id": "2454469", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454469" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2026/04/02/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T17:06:07Z/" } ], "url": "https://www.openwall.com/lists/oss-security/2026/04/02/3" }, { "reference_url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2", "reference_id": "?l=openssh-unix-dev&m=177513443901484&w=2", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T17:06:07Z/" } ], "url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2" }, { "reference_url": "https://www.openssh.org/releasenotes.html#10.3p1", "reference_id": "releasenotes.html#10.3p1", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T17:06:07Z/" } ], "url": "https://www.openssh.org/releasenotes.html#10.3p1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055829?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u8" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068120?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u9" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068121?format=api", "purl": "pkg:deb/debian/openssh@1:10.0p1-7%2Bdeb13u2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.0p1-7%252Bdeb13u2" }, { "url": "http://public2.vulnerablecode.io/api/packages/1055831?format=api", "purl": "pkg:deb/debian/openssh@1:10.2p1-2~bpo13%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.2p1-2~bpo13%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1062956?format=api", "purl": "pkg:deb/debian/openssh@1:10.3p1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.3p1-1" } ], "aliases": [ "CVE-2026-35385" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-792n-jkzj-qqhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349220?format=api", "vulnerability_id": "VCID-8efr-budq-6bb6", "summary": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35414.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35414.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35414", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03583", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03573", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04506", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04491", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05313", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0524", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05224", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05211", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05157", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05159", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35414" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35414", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35414" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132576", "reference_id": "1132576", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132576" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454490", "reference_id": "2454490", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454490" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2026/04/02/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:42:45Z/" } ], "url": "https://www.openwall.com/lists/oss-security/2026/04/02/3" }, { "reference_url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2", "reference_id": "?l=openssh-unix-dev&m=177513443901484&w=2", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:42:45Z/" } ], "url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2" }, { "reference_url": "https://www.openssh.org/releasenotes.html#10.3p1", "reference_id": "releasenotes.html#10.3p1", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:42:45Z/" } ], "url": "https://www.openssh.org/releasenotes.html#10.3p1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055829?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u8" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068120?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u9" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068121?format=api", "purl": "pkg:deb/debian/openssh@1:10.0p1-7%2Bdeb13u2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.0p1-7%252Bdeb13u2" }, { "url": "http://public2.vulnerablecode.io/api/packages/1055831?format=api", "purl": "pkg:deb/debian/openssh@1:10.2p1-2~bpo13%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.2p1-2~bpo13%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1062956?format=api", "purl": "pkg:deb/debian/openssh@1:10.3p1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.3p1-1" } ], "aliases": [ "CVE-2026-35414" ], "risk_score": 2.1, "exploitability": "0.5", "weighted_severity": "4.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8efr-budq-6bb6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349224?format=api", "vulnerability_id": "VCID-a4eq-r71a-buhm", "summary": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35386.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35386.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35386", "reference_id": "", "reference_type": "", "scores": [ { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00508", "published_at": "2026-04-07T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.0051", "published_at": "2026-04-04T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00703", "published_at": "2026-04-21T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00678", "published_at": "2026-04-08T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.0067", "published_at": "2026-04-11T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00663", "published_at": "2026-04-12T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00664", "published_at": "2026-04-13T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00656", "published_at": "2026-04-16T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00661", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35386" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35386", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35386" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132573", "reference_id": "1132573", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132573" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454506", "reference_id": "2454506", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454506" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2026/04/02/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "3.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T17:12:12Z/" } ], "url": "https://www.openwall.com/lists/oss-security/2026/04/02/3" }, { "reference_url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2", "reference_id": "?l=openssh-unix-dev&m=177513443901484&w=2", "reference_type": "", "scores": [ { "value": "3.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T17:12:12Z/" } ], "url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2" }, { "reference_url": "https://www.openssh.org/releasenotes.html#10.3p1", "reference_id": "releasenotes.html#10.3p1", "reference_type": "", "scores": [ { "value": "3.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T17:12:12Z/" } ], "url": "https://www.openssh.org/releasenotes.html#10.3p1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055829?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u8" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068120?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u9" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068121?format=api", "purl": "pkg:deb/debian/openssh@1:10.0p1-7%2Bdeb13u2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.0p1-7%252Bdeb13u2" }, { "url": "http://public2.vulnerablecode.io/api/packages/1055831?format=api", "purl": "pkg:deb/debian/openssh@1:10.2p1-2~bpo13%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.2p1-2~bpo13%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1062956?format=api", "purl": "pkg:deb/debian/openssh@1:10.3p1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.3p1-1" } ], "aliases": [ "CVE-2026-35386" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a4eq-r71a-buhm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64289?format=api", "vulnerability_id": "VCID-ajmg-5kgx-k7h5", "summary": "openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3497.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3497.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3497", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09146", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09123", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09198", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09203", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09232", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09235", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10288", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10161", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10136", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10267", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3497" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3497", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3497" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130595", "reference_id": "1130595", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130595" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447085", "reference_id": "2447085", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447085" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2026/03/12/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:04:05Z/" } ], "url": "https://www.openwall.com/lists/oss-security/2026/03/12/3" }, { "reference_url": "https://ubuntu.com/security/CVE-2026-3497", "reference_id": "CVE-2026-3497", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:04:05Z/" } ], "url": "https://ubuntu.com/security/CVE-2026-3497" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5475", "reference_id": "RHSA-2026:5475", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5475" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6461", "reference_id": "RHSA-2026:6461", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6461" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6462", "reference_id": "RHSA-2026:6462", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6462" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6463", "reference_id": "RHSA-2026:6463", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6463" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7107", "reference_id": "RHSA-2026:7107", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7107" }, { "reference_url": "https://usn.ubuntu.com/8090-1/", "reference_id": "USN-8090-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8090-1/" }, { "reference_url": "https://usn.ubuntu.com/8090-2/", "reference_id": "USN-8090-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8090-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055828?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-792n-jkzj-qqhd" }, { "vulnerability": "VCID-8efr-budq-6bb6" }, { "vulnerability": "VCID-a4eq-r71a-buhm" }, { "vulnerability": "VCID-a7m6-uqbt-nqd9" }, { "vulnerability": "VCID-ajmg-5kgx-k7h5" }, { "vulnerability": "VCID-bnrq-2fsr-mfgd" }, { "vulnerability": "VCID-kgn5-p8kx-qucj" }, { "vulnerability": "VCID-wga4-sqwk-4bfj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u7" }, { "url": "http://public2.vulnerablecode.io/api/packages/1055829?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u8" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068120?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u9" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068121?format=api", "purl": "pkg:deb/debian/openssh@1:10.0p1-7%2Bdeb13u2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.0p1-7%252Bdeb13u2" }, { "url": "http://public2.vulnerablecode.io/api/packages/1055831?format=api", "purl": "pkg:deb/debian/openssh@1:10.2p1-2~bpo13%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.2p1-2~bpo13%252B1" } ], "aliases": [ "CVE-2026-3497" ], "risk_score": 3.7, "exploitability": "0.5", "weighted_severity": "7.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ajmg-5kgx-k7h5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349223?format=api", "vulnerability_id": "VCID-bnrq-2fsr-mfgd", "summary": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35388.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35388.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35388", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01324", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01312", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01686", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01612", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01619", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01604", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01595", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01594", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01583", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01597", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35388" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35388", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35388" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132575", "reference_id": "1132575", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132575" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454500", "reference_id": "2454500", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454500" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2026/04/02/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:46:05Z/" } ], "url": "https://www.openwall.com/lists/oss-security/2026/04/02/3" }, { "reference_url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2", "reference_id": "?l=openssh-unix-dev&m=177513443901484&w=2", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:46:05Z/" } ], "url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2" }, { "reference_url": "https://www.openssh.org/releasenotes.html#10.3p1", "reference_id": "releasenotes.html#10.3p1", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:46:05Z/" } ], "url": "https://www.openssh.org/releasenotes.html#10.3p1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055829?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u8" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068120?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u9" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068121?format=api", "purl": "pkg:deb/debian/openssh@1:10.0p1-7%2Bdeb13u2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.0p1-7%252Bdeb13u2" }, { "url": "http://public2.vulnerablecode.io/api/packages/1055831?format=api", "purl": "pkg:deb/debian/openssh@1:10.2p1-2~bpo13%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.2p1-2~bpo13%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1062956?format=api", "purl": "pkg:deb/debian/openssh@1:10.3p1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.3p1-1" } ], "aliases": [ "CVE-2026-35388" ], "risk_score": 1.1, "exploitability": "0.5", "weighted_severity": "2.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bnrq-2fsr-mfgd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349401?format=api", "vulnerability_id": "VCID-kgn5-p8kx-qucj", "summary": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35387.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35387.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35387", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07582", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07559", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08651", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08638", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08673", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08676", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08528", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08668", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08515", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35387" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35387", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35387" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132574", "reference_id": "1132574", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132574" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454494", "reference_id": "2454494", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454494" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2026/04/02/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:07:49Z/" } ], "url": "https://www.openwall.com/lists/oss-security/2026/04/02/3" }, { "reference_url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2", "reference_id": "?l=openssh-unix-dev&m=177513443901484&w=2", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:07:49Z/" } ], "url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2" }, { "reference_url": "https://www.openssh.org/releasenotes.html#10.3p1", "reference_id": "releasenotes.html#10.3p1", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:07:49Z/" } ], "url": "https://www.openssh.org/releasenotes.html#10.3p1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055829?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u8" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068120?format=api", "purl": "pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:9.2p1-2%252Bdeb12u9" }, { "url": "http://public2.vulnerablecode.io/api/packages/1068121?format=api", "purl": "pkg:deb/debian/openssh@1:10.0p1-7%2Bdeb13u2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.0p1-7%252Bdeb13u2" }, { "url": "http://public2.vulnerablecode.io/api/packages/1055831?format=api", "purl": "pkg:deb/debian/openssh@1:10.2p1-2~bpo13%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.2p1-2~bpo13%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1062956?format=api", "purl": "pkg:deb/debian/openssh@1:10.3p1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.3p1-1" } ], "aliases": [ "CVE-2026-35387" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kgn5-p8kx-qucj" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/openssh@1:10.0p1-7%252Bdeb13u2" }