Fluid Attacks Database

Description

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel6	openssh	-	-
rpm rhel10	openssh	<0:9.9p1-23.el10_2	0:9.9p1-23.el10_2
debian 12	openssh	=1:9.2p1-2 \|\| =1:9.2p1-2+deb12u1 \|\| =1:9.2p1-2+deb12u2 \|\| =1:9.2p1-2+deb12u3 \|\| =1:9.2p1-2+deb12u4 \|\| =1:9.2p1-2+deb12u5 \|\| =1:9.2p1-2+deb12u6 \|\| =1:9.2p1-2+deb12u7 \|\| =1:9.2p1-2+deb12u8 \|\| =1:9.2p1-2+deb12u9 \|\| >=0 <1:9.2p1-2+deb12u10	1:9.2p1-2+deb12u10
debian 13	openssh	=1:10.0p1-7 \|\| =1:10.0p1-7+deb13u1 \|\| =1:10.0p1-7+deb13u2 \|\| >=0 <1:10.0p1-7+deb13u3	1:10.0p1-7+deb13u3
debian 11	openssh	=1:8.4p1-5 \|\| =1:8.4p1-5+deb11u1 \|\| =1:8.4p1-5+deb11u2 \|\| =1:8.4p1-5+deb11u3 \|\| =1:8.4p1-5+deb11u4 \|\| =1:8.4p1-5+deb11u5 \|\| =1:8.4p1-5+deb11u6 \|\| >=0 <1:8.4p1-5+deb11u7	1:8.4p1-5+deb11u7
rpm rhel7	openssh	-	-
debian 14	openssh	=1:10.0p1-7 \|\| =1:10.0p1-8 \|\| =1:10.1p1-1 \|\| =1:10.1p1-2 \|\| =1:10.2p1-1 \|\| =1:10.2p1-2 \|\| =1:10.2p1-2~bpo13+1 \|\| =1:10.2p1-3 \|\| =1:10.2p1-4 \|\| =1:10.2p1-5 \|\| =1:10.2p1-6 \|\| =1:10.2p1-6~bpo13+1 \|\| =1:10.3p1-1~bpo13+1 \|\| >=0 <1:10.3p1-1	1:10.3p1-1
rpm rhel8	openssh	<0:8.0p1-29.el8_10	0:8.0p1-29.el8_10
rpm rhel9	openssh	<0:8.7p1-49.el9_7 \|\| >=0:9.9p1, <0:9.9p1-7.el9_8	0:9.9p1-7.el9_8
rpm rhel10.0	openssh	<0:9.9p1-7.el10_0.3	0:9.9p1-7.el10_0.3

1-10 of 13

Aliases

1. CVE-2026-353862. NVD-2026-353863. OSV-2026-353864. OSV-DEBIAN-2026-353865. SECURITY-TRACKER-CVE-2026-35386

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.