CVE-2026-35386

ADVISORY - nist

Summary

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

EPSS Score⁠: 0.00028 (0.080)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-696⁠

Incorrect Behavior Order

ADVISORY - redhat

CWE-78⁠

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impacted images

Advisories

NIST

CREATED

28 days ago

UPDATED

3 days ago

ADVISORY IDCVE-2026-35386⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-696⁠

CVSS SCORE

3.6low

Alpine

CREATED

3 days ago

UPDATED

3 days ago

ADVISORY IDCVE-2026-35386⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Debian

CREATED

28 days ago

UPDATED

2 days ago

ADVISORY IDCVE-2026-35386⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

28 days ago

UPDATED

1 day ago

ADVISORY IDCVE-2026-35386⁠

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

8.1medium

Red Hat

CREATED

28 days ago

UPDATED

27 days ago

ADVISORY IDCVE-2026-35386⁠

EXPLOITABILITY SCORE

1.0

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-78⁠

CVSS SCORE

3.6low

Photon

CREATED

4 days ago

UPDATED

4 days ago

ADVISORY ID

CVE-2026-35386

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

3.5low