CVE-2026-0964

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Exploitability : 1.6 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2026-0964
https://bugzilla.redhat.com/show_bug.cgi?id=2436979
https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 21:17

Updated : 2026-03-30 13:26

NVD link : CVE-2026-0964

Mitre link : CVE-2026-0964

CVE.ORG link : CVE-2026-0964

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

5.0 /10