EUVD-2026-36056

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh sshsftpd module allows File Discovery. The SSHFXPREADLINK handler in sshsftpd sends the raw result of file:readlink/2 to the client without calling chrootfilename/2 to strip the backend root prefix. An...

EEF-CVE-2026-48855 SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured

Summary Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh ssh\sftpd module allows File Discovery. The SSH\FXP\READLINK handler in ssh\sftpd sends the raw result of file:read\link/2 to the client without calling chroot\filename/2 to strip the backend root...

EUVD-2026-36054

Observable Timing Discrepancy vulnerability in Erlang/OTP ssh sshauth, sshoptions modules allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the userpasswords or password option, sshauth:checkpassword/3...

CVE-2026-48859 SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration

Observable Timing Discrepancy vulnerability in Erlang/OTP ssh sshauth, sshoptions modules allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the userpasswords or password option, sshauth:checkpassword/3...

CVE-2026-45549 Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or restart smon-agent on any host

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agentaction app/routes/smon/agentroutes.py:166-179 has decorators @bp.post'/agent/action/' and @jwtrequired only — no role check, no group ownership check on the serverip form...

CVE-2026-45552 Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on every registered server

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.beforerequest → @jwtrequired app/routes/install/routes.py:36-39. The individual endpoints installexporter, installwaf, installgeoip,...

CVE-2026-45552

CVE-2026-45552 affects Roxy-WI web interface (versions up to 8.2.6.4). The install blueprint allows bp.before_request → @jwt_required(), but several endpoints under /install/* (install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, get_task_status) lack admin/ownership c...

Important: Red Hat Security Advisory: openssh security update

An update for openssh is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

DEBIAN-CVE-2026-11837

A local privilege escalation vulnerability was found in the ansible.posix authorizedkey module. The module's keyfile function uses os.chown instead of os.lchown and opens files without ONOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their...

EUVD-2026-35982

A local privilege escalation vulnerability was found in the ansible.posix authorizedkey module. The module's keyfile function uses os.chown instead of os.lchown and opens files without ONOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their...

CVE-2026-11837

A local privilege escalation vulnerability was found in the ansible.posix authorizedkey module. The module's keyfile function uses os.chown instead of os.lchown and opens files without ONOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their...

Exploit for CVE-2026-48732

CVE-2026-48732: Warp Remote SSH cwd Command Injection PoC...

PT-2026-48545

Name of the Vulnerable Software and Affected Versions russh versions 0.37.0 through 0.60.2 Description In the keyboard-interactive authentication path of the client, a malicious SSH server can send a USERAUTH INFO REQUEST containing an attacker-controlled prompt count. The client uses this raw...

Erlang/OTP -- timing-based username enumeration in SSH password authentication

https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4 reports: A timing-based username enumeration vulnerability during password authentication with the userpasswords option has been fixed by performing a dummy PBKDF2 computation for invalid usernames, so authentication timing no...

MGASA-2026-0182 Updated ruby-net-ssh packages fix security vulnerabilities

This update fixes CVE-2023-48795: Prefix Truncation Attacks in SSH Specification Terrapin Attack , for ruby-net-ssh...

Updated ruby-net-ssh packages fix security vulnerabilities

This update fixes CVE-2023-48795: Prefix Truncation Attacks in SSH Specification Terrapin Attack , for ruby-net-ssh...

MAL-2026-5398 Malicious code in hey-base32 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517 The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point bin/hey-base32.js starts a remote-access tunnel on...

Malicious code in hey-base32 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517 The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point bin/hey-base32.js starts a remote-access tunnel on...

MAL-2026-5360 Malicious code in wallet-sdk-9 (npm)

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Campaign now...

Malicious code in ethereum-kit-9 (npm)

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Campaign now...