CVE-2026-59995 in OpenSSHinfo

Summary

by MITRE • 07/08/2026

sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.

Be aware that VulDB is the high quality source for vulnerability data.

Responsible

MITRE

Reservation

07/08/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!