Search for packages
| purl | pkg:deb/debian/openssh@1:10.0p1-7%2Bdeb13u1 |
| Next non-vulnerable version | 1:10.2p1-2~bpo13+1 |
| Latest non-vulnerable version | 1:10.3p1-1 |
| Risk | 3.7 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-792n-jkzj-qqhd
Aliases: CVE-2026-35385 |
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8efr-budq-6bb6
Aliases: CVE-2026-35414 |
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-a4eq-r71a-buhm
Aliases: CVE-2026-35386 |
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ajmg-5kgx-k7h5
Aliases: CVE-2026-3497 |
openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables |
Affected by 0 other vulnerabilities. |
|
VCID-bnrq-2fsr-mfgd
Aliases: CVE-2026-35388 |
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kgn5-p8kx-qucj
Aliases: CVE-2026-35387 |
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T13:07:42.166693+00:00 | Debian Importer | Affected by | VCID-792n-jkzj-qqhd | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T12:05:40.509297+00:00 | Debian Importer | Affected by | VCID-8efr-budq-6bb6 | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T11:51:17.465689+00:00 | Debian Importer | Affected by | VCID-kgn5-p8kx-qucj | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T11:16:30.657589+00:00 | Debian Importer | Affected by | VCID-ajmg-5kgx-k7h5 | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T10:27:50.402600+00:00 | Debian Importer | Affected by | VCID-a4eq-r71a-buhm | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T08:46:37.158281+00:00 | Debian Importer | Affected by | VCID-bnrq-2fsr-mfgd | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-13T09:01:44.678157+00:00 | Debian Importer | Affected by | VCID-792n-jkzj-qqhd | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T08:16:01.268334+00:00 | Debian Importer | Affected by | VCID-8efr-budq-6bb6 | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T08:05:31.915403+00:00 | Debian Importer | Affected by | VCID-kgn5-p8kx-qucj | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T07:40:10.158658+00:00 | Debian Importer | Affected by | VCID-ajmg-5kgx-k7h5 | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T07:03:37.517129+00:00 | Debian Importer | Affected by | VCID-a4eq-r71a-buhm | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T05:45:21.223623+00:00 | Debian Importer | Affected by | VCID-bnrq-2fsr-mfgd | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-08T19:05:45.722556+00:00 | Debian Importer | Affected by | VCID-ajmg-5kgx-k7h5 | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |