CVE-2026-0964 MEDIUM

CVE-2026-0964: Libssh: improper sanitation of paths received from scp servers

Vendor Red Hat
Product Red Hat Enterprise Linux 6
Weakness CWE-22 · Path traversal
Published March 26, 2026
Last update May 19, 2026

CVSS base score

5.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

Key dates

02Disclosure timeline

March 26, 2026 CVE published
May 19, 2026 Record updated