Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
AT:P captures the attacker-server prerequisite; UI:A reflects the required active sftp invocation; VC:N/VI:L/VA:L matches bounded file-write impact with no confidentiality loss and no subsequent-system scope change.
Primary rating from Vendor (mitre).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionNVD
sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
AnalysisAI
Path traversal in the OpenSSH sftp client before version 10.4p1 allows an attacker-controlled server to write downloaded files outside the user's intended target directory when the 'sftp server:/path .' bulk-download syntax is used. Affected are all OpenSSH deployments where users sftp from untrusted or attacker-controlled hosts, which in practice spans virtually every Linux and Unix environment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two simultaneous conditions: (1) the victim must actively invoke the sftp client using the specific 'sftp server:/path .' bulk-download syntax - not a passive or background operation - and (2) the server must be attacker-controlled or interceptable via MITM. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 4.2 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L) accurately reflects a meaningful but bounded threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up a malicious SFTP server and entices a victim to download files using 'sftp attacker-server:/files .' - achievable via phishing, DNS poisoning, or BGP hijack. The malicious server returns filenames prefixed with path traversal sequences, causing the sftp client to silently write files such as a backdoored ~/.ssh/authorized_keys or a cron job outside the victim's intended download directory. … |
| Remediation | Upgrade to OpenSSH 10.4p1, which includes the fix constraining sftp client download paths; release notes are at https://www.openssh.org/releasenotes.html#10.4p1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42137
GHSA-2prh-86cw-fm96