Search for packages
| purl | pkg:deb/debian/openssh@1:10.2p1-6 |
| Next non-vulnerable version | 1:10.3p1-1 |
| Latest non-vulnerable version | 1:10.3p1-1 |
| Risk | 3.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-792n-jkzj-qqhd
Aliases: CVE-2026-35385 |
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). |
Affected by 0 other vulnerabilities. |
|
VCID-8efr-budq-6bb6
Aliases: CVE-2026-35414 |
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. |
Affected by 0 other vulnerabilities. |
|
VCID-a4eq-r71a-buhm
Aliases: CVE-2026-35386 |
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. |
Affected by 0 other vulnerabilities. |
|
VCID-bnrq-2fsr-mfgd
Aliases: CVE-2026-35388 |
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. |
Affected by 0 other vulnerabilities. |
|
VCID-kgn5-p8kx-qucj
Aliases: CVE-2026-35387 |
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T13:07:42.176318+00:00 | Debian Importer | Affected by | VCID-792n-jkzj-qqhd | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T12:05:40.518004+00:00 | Debian Importer | Affected by | VCID-8efr-budq-6bb6 | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T11:51:17.474812+00:00 | Debian Importer | Affected by | VCID-kgn5-p8kx-qucj | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T10:27:50.413034+00:00 | Debian Importer | Affected by | VCID-a4eq-r71a-buhm | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T08:46:37.162508+00:00 | Debian Importer | Affected by | VCID-bnrq-2fsr-mfgd | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-13T09:01:44.690039+00:00 | Debian Importer | Affected by | VCID-792n-jkzj-qqhd | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T08:16:01.280069+00:00 | Debian Importer | Affected by | VCID-8efr-budq-6bb6 | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T08:05:31.926716+00:00 | Debian Importer | Affected by | VCID-kgn5-p8kx-qucj | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T07:03:37.529735+00:00 | Debian Importer | Affected by | VCID-a4eq-r71a-buhm | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T05:45:21.236120+00:00 | Debian Importer | Affected by | VCID-bnrq-2fsr-mfgd | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |