Vulnerabilities
Vulnerable Software
Openbsd:  >> Openssh  >> 1.2  Security Vulnerabilities
In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-08
sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.
CVSS Score
3.7
EPSS Score
0.004
Published
2026-07-08
sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
CVSS Score
6.5
EPSS Score
0.003
Published
2026-07-08
ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)
CVSS Score
7.7
EPSS Score
0.003
Published
2026-07-08
sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
CVSS Score
4.2
EPSS Score
0.002
Published
2026-07-08
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
CVSS Score
4.2
EPSS Score
0.002
Published
2026-07-08
internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
CVSS Score
4.2
EPSS Score
0.002
Published
2026-07-08
sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.
CVSS Score
4.8
EPSS Score
0.002
Published
2026-07-08
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
CVSS Score
4.2
EPSS Score
0.002
Published
2026-04-02
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
CVSS Score
3.1
EPSS Score
0.002
Published
2026-04-02


Contact Us

Shodan ® - All rights reserved