Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u7
purl pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u7
Next non-vulnerable version 1:9.2p1-2+deb12u8
Latest non-vulnerable version 1:10.3p1-1
Risk 3.7
Vulnerabilities affecting this package (8)
Vulnerability Summary Fixed by
VCID-792n-jkzj-qqhd
Aliases:
CVE-2026-35385
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
1:9.2p1-2+deb12u8
Affected by 0 other vulnerabilities.
1:10.2p1-2~bpo13+1
Affected by 0 other vulnerabilities.
1:10.3p1-1
Affected by 0 other vulnerabilities.
VCID-8efr-budq-6bb6
Aliases:
CVE-2026-35414
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
1:9.2p1-2+deb12u8
Affected by 0 other vulnerabilities.
1:10.2p1-2~bpo13+1
Affected by 0 other vulnerabilities.
1:10.3p1-1
Affected by 0 other vulnerabilities.
VCID-a4eq-r71a-buhm
Aliases:
CVE-2026-35386
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
1:9.2p1-2+deb12u8
Affected by 0 other vulnerabilities.
1:10.2p1-2~bpo13+1
Affected by 0 other vulnerabilities.
1:10.3p1-1
Affected by 0 other vulnerabilities.
VCID-a7m6-uqbt-nqd9
Aliases:
CVE-2025-61985
openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand
1:9.2p1-2+deb12u8
Affected by 0 other vulnerabilities.
VCID-ajmg-5kgx-k7h5
Aliases:
CVE-2026-3497
openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables
1:9.2p1-2+deb12u8
Affected by 0 other vulnerabilities.
1:10.2p1-2~bpo13+1
Affected by 0 other vulnerabilities.
VCID-bnrq-2fsr-mfgd
Aliases:
CVE-2026-35388
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
1:9.2p1-2+deb12u8
Affected by 0 other vulnerabilities.
1:10.2p1-2~bpo13+1
Affected by 0 other vulnerabilities.
1:10.3p1-1
Affected by 0 other vulnerabilities.
VCID-kgn5-p8kx-qucj
Aliases:
CVE-2026-35387
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
1:9.2p1-2+deb12u8
Affected by 0 other vulnerabilities.
1:10.2p1-2~bpo13+1
Affected by 0 other vulnerabilities.
1:10.3p1-1
Affected by 0 other vulnerabilities.
VCID-wga4-sqwk-4bfj
Aliases:
CVE-2025-61984
openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand
1:9.2p1-2+deb12u8
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (6)
Vulnerability Summary Aliases
VCID-a7m6-uqbt-nqd9 openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand CVE-2025-61985
VCID-ajmg-5kgx-k7h5 openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables CVE-2026-3497
VCID-b4uc-yh56-muej openssh: possible bypass of fido 2 devices and ssh-askpass CVE-2021-36368
VCID-ha8v-pqwf-r3a1 Multiple vulnerabilities have been found in OpenSSH, the worst of which could allow a remote attacker to gain unauthorized access. CVE-2025-26465
VCID-hse5-y15y-n3dw openssh: OpenSSH SSHD Agent Forwarding and X11 Forwarding CVE-2025-32728
VCID-wga4-sqwk-4bfj openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand CVE-2025-61984

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T13:07:42.157399+00:00 Debian Importer Affected by VCID-792n-jkzj-qqhd https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T12:17:28.803430+00:00 Debian Importer Fixing VCID-a7m6-uqbt-nqd9 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T12:08:33.761630+00:00 Debian Importer Fixing VCID-b4uc-yh56-muej https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T12:05:40.500458+00:00 Debian Importer Affected by VCID-8efr-budq-6bb6 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T11:51:17.456317+00:00 Debian Importer Affected by VCID-kgn5-p8kx-qucj https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T11:35:40.184276+00:00 Debian Importer Affected by VCID-a7m6-uqbt-nqd9 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T11:27:35.233450+00:00 Debian Importer Affected by VCID-wga4-sqwk-4bfj https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T11:16:30.648371+00:00 Debian Importer Affected by VCID-ajmg-5kgx-k7h5 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:50:21.756054+00:00 Debian Importer Fixing VCID-ajmg-5kgx-k7h5 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:37:47.435697+00:00 Debian Importer Fixing VCID-wga4-sqwk-4bfj https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:27:50.392773+00:00 Debian Importer Affected by VCID-a4eq-r71a-buhm https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T08:46:37.154019+00:00 Debian Importer Affected by VCID-bnrq-2fsr-mfgd https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T00:48:12.341314+00:00 Debian Oval Importer Fixing VCID-hse5-y15y-n3dw https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.4.0
2026-04-15T20:13:24.583413+00:00 Debian Oval Importer Fixing VCID-ha8v-pqwf-r3a1 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.4.0
2026-04-13T09:01:44.666293+00:00 Debian Importer Affected by VCID-792n-jkzj-qqhd https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T08:24:21.135754+00:00 Debian Importer Fixing VCID-a7m6-uqbt-nqd9 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T08:18:06.921396+00:00 Debian Importer Fixing VCID-b4uc-yh56-muej https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T08:16:01.256312+00:00 Debian Importer Affected by VCID-8efr-budq-6bb6 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T08:05:31.904258+00:00 Debian Importer Affected by VCID-kgn5-p8kx-qucj https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:54:18.104401+00:00 Debian Importer Affected by VCID-a7m6-uqbt-nqd9 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:48:31.879337+00:00 Debian Importer Affected by VCID-wga4-sqwk-4bfj https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:40:10.147663+00:00 Debian Importer Affected by VCID-ajmg-5kgx-k7h5 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:20:17.715581+00:00 Debian Importer Fixing VCID-ajmg-5kgx-k7h5 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:11:05.971755+00:00 Debian Importer Fixing VCID-wga4-sqwk-4bfj https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:03:37.504635+00:00 Debian Importer Affected by VCID-a4eq-r71a-buhm https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T05:45:21.212041+00:00 Debian Importer Affected by VCID-bnrq-2fsr-mfgd https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-12T00:20:43.215884+00:00 Debian Oval Importer Fixing VCID-hse5-y15y-n3dw https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.3.0
2026-04-11T19:55:12.241417+00:00 Debian Oval Importer Fixing VCID-ha8v-pqwf-r3a1 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.3.0
2026-04-08T23:51:28.132504+00:00 Debian Oval Importer Fixing VCID-hse5-y15y-n3dw https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.1.0
2026-04-08T19:37:41.687614+00:00 Debian Importer Fixing VCID-b4uc-yh56-muej https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-08T19:37:12.576444+00:00 Debian Oval Importer Fixing VCID-ha8v-pqwf-r3a1 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.1.0
2026-04-08T19:15:35.930025+00:00 Debian Importer Affected by VCID-a7m6-uqbt-nqd9 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-08T19:11:32.204331+00:00 Debian Importer Affected by VCID-wga4-sqwk-4bfj https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-08T19:05:45.708086+00:00 Debian Importer Affected by VCID-ajmg-5kgx-k7h5 https://security-tracker.debian.org/tracker/data/json 38.1.0