VulnerableCode Package Details - pkg:deb/debian/openssh@1:9.2p1-2%2Bdeb12u9

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-792n-jkzj-qqhd	In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).	CVE-2026-35385
VCID-8efr-budq-6bb6	OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.	CVE-2026-35414
VCID-a4eq-r71a-buhm	In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.	CVE-2026-35386
VCID-a7m6-uqbt-nqd9	openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand	CVE-2025-61985
VCID-ajmg-5kgx-k7h5	openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables	CVE-2026-3497
VCID-kgn5-p8kx-qucj	OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.	CVE-2026-35387
VCID-wga4-sqwk-4bfj	openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand	CVE-2025-61984

Vulnerability

Summary

Aliases

VCID-792n-jkzj-qqhd

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

CVE-2026-35385

VCID-8efr-budq-6bb6

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

CVE-2026-35414

VCID-a4eq-r71a-buhm

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

CVE-2026-35386

VCID-a7m6-uqbt-nqd9

openssh: OpenSSH: Null character in ssh:// URI can lead to code execution via ProxyCommand

CVE-2025-61985

VCID-ajmg-5kgx-k7h5

openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables

CVE-2026-3497

VCID-kgn5-p8kx-qucj

OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

CVE-2026-35387

VCID-wga4-sqwk-4bfj

openssh: OpenSSH: Control characters in usernames can lead to code execution via ProxyCommand

CVE-2025-61984

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-19T05:55:11.646944+00:00	Debian Importer	Fixing	VCID-792n-jkzj-qqhd	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-19T04:50:52.655416+00:00	Debian Importer	Fixing	VCID-8efr-budq-6bb6	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-19T04:35:32.869175+00:00	Debian Importer	Fixing	VCID-kgn5-p8kx-qucj	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-19T04:19:05.511292+00:00	Debian Importer	Fixing	VCID-a7m6-uqbt-nqd9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-19T04:10:19.204642+00:00	Debian Importer	Fixing	VCID-wga4-sqwk-4bfj	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-19T03:58:41.440163+00:00	Debian Importer	Fixing	VCID-ajmg-5kgx-k7h5	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-19T03:07:07.363541+00:00	Debian Importer	Fixing	VCID-a4eq-r71a-buhm	https://security-tracker.debian.org/tracker/data/json	38.4.0