Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-54590

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-08 Jul, 2026 | 20:36
Updated At-10 Jul, 2026 | 15:00
Rejected At-
Credits

AsyncSSH AuthorizedKeysFile username substitution bypass through ~ and environment expansion

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in AuthorizedKeysFile but does not block a leading ~ or ${ENV}, allowing later expansion in _expand_val and Path(filename).expanduser() to escape the intended authorized-keys directory. This issue is fixed in version 2.23.1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:08 Jul, 2026 | 20:36
Updated At:10 Jul, 2026 | 15:00
Rejected At:
▼CVE Numbering Authority (CNA)
AsyncSSH AuthorizedKeysFile username substitution bypass through ~ and environment expansion

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in AuthorizedKeysFile but does not block a leading ~ or ${ENV}, allowing later expansion in _expand_val and Path(filename).expanduser() to escape the intended authorized-keys directory. This issue is fixed in version 2.23.1.

Affected Products
Vendor
ronf
Product
asyncssh
Versions
Affected
  • < 2.23.1
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWECWE-639CWE-639: Authorization Bypass Through User-Controlled Key
Type: CWE
CWE ID: CWE-22
Description: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-639
Description: CWE-639: Authorization Bypass Through User-Controlled Key
Metrics
VersionBase scoreBase severityVector
3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/ronf/asyncssh/security/advisories/GHSA-qr67-gv47-xwwh
x_refsource_CONFIRM
https://github.com/ronf/asyncssh/commit/3d515ba9ba0cd9990d248bdf62bcf05d51261a88
x_refsource_MISC
https://github.com/ronf/asyncssh/releases/tag/v2.23.1
x_refsource_MISC
Hyperlink: https://github.com/ronf/asyncssh/security/advisories/GHSA-qr67-gv47-xwwh
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/ronf/asyncssh/commit/3d515ba9ba0cd9990d248bdf62bcf05d51261a88
Resource:
x_refsource_MISC
Hyperlink: https://github.com/ronf/asyncssh/releases/tag/v2.23.1
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/ronf/asyncssh/security/advisories/GHSA-qr67-gv47-xwwh
exploit
Hyperlink: https://github.com/ronf/asyncssh/security/advisories/GHSA-qr67-gv47-xwwh
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:08 Jul, 2026 | 21:16
Updated At:10 Jul, 2026 | 19:22

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in AuthorizedKeysFile but does not block a leading ~ or ${ENV}, allowing later expansion in _expand_val and Path(filename).expanduser() to escape the intended authorized-keys directory. This issue is fixed in version 2.23.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-22Secondarysecurity-advisories@github.com
CWE-639Secondarysecurity-advisories@github.com
CWE ID: CWE-22
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-639
Type: Secondary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/ronf/asyncssh/commit/3d515ba9ba0cd9990d248bdf62bcf05d51261a88security-advisories@github.com
N/A
https://github.com/ronf/asyncssh/releases/tag/v2.23.1security-advisories@github.com
N/A
https://github.com/ronf/asyncssh/security/advisories/GHSA-qr67-gv47-xwwhsecurity-advisories@github.com
N/A
https://github.com/ronf/asyncssh/security/advisories/GHSA-qr67-gv47-xwwh134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://github.com/ronf/asyncssh/commit/3d515ba9ba0cd9990d248bdf62bcf05d51261a88
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/ronf/asyncssh/releases/tag/v2.23.1
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/ronf/asyncssh/security/advisories/GHSA-qr67-gv47-xwwh
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/ronf/asyncssh/security/advisories/GHSA-qr67-gv47-xwwh
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

11Records found

CVE-2026-54591
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.32% / 23.76%
||
7 Day CHG~0.00%
Published-08 Jul, 2026 | 20:33
Updated-10 Jul, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AsyncSSH: SCP Path Traversal to Arbitrary File Write

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Prior to 2.23.1, a malicious SSH server can write arbitrary files on the asyncssh SCP client's filesystem by sending filenames containing ../ traversal sequences because _parse_cd_args in scp.py returns server-provided names verbatim and _recv_files joins them to the destination path without enforcing the target directory boundary. This issue is fixed in version 2.23.1.

Action-Not Available
Vendor-ronf
Product-asyncssh
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-45309
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-Not Assigned
Published-17 Jul, 2026 | 18:40
Updated-17 Jul, 2026 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Prior to 2.23.0, AsyncSSH expands the OpenSSH-compatible AuthorizedKeysFile %u token in asyncssh/config.py, asyncssh/connection.py, asyncssh/auth_keys.py, and asyncssh/misc.py with the raw SSH username during pre-authentication server config reload, allowing a server configured with AuthorizedKeysFile authorized_keys/%u to read an authorized-keys file outside the intended directory when the SSH username contains /, \, or .. path traversal segments and authenticate with an attacker-selected key file. This issue is fixed in version 2.23.0.

Action-Not Available
Vendor-ronf
Product-asyncssh
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-41245
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.34% / 25.78%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 15:15
Updated-15 Jul, 2026 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix

Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the issue.

Action-Not Available
Vendor-junrar_projectjunrarRed Hat, Inc.
Product-junrarjunrarRed Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 8
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-28208
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.9||MEDIUM
EPSS-12.04% / 95.67%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 22:20
Updated-02 Mar, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junrar has arbitrary file write due to backslash path traversal bypass in LocalFolderExtractor on Linux/Unix

Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc). Version 7.5.8 has a fix for the issue.

Action-Not Available
Vendor-junrar_projectjunrar
Product-junrarjunrar
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-39844
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.37% / 29.33%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 20:13
Updated-15 Apr, 2026 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NiceGUI has a Path Traversal in NiceGUI Upload Filename on Windows via Backslash Bypass of PurePosixPath Sanitization

NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.

Action-Not Available
Vendor-zauberzeugzauberzeugMicrosoft Corporation
Product-niceguiwindowsnicegui
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-27906
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-1.04% / 60.06%
||
7 Day CHG~0.00%
Published-25 Mar, 2022 | 19:36
Updated-03 Aug, 2024 | 05:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mendelson OFTP2 before 1.1 b43 is affected by directory traversal. To access the vulnerable code path, the attacker has to know one of the configured Odette IDs of the OFTP2 server. An attacker can upload files to the server outside of the intended upload directory.

Action-Not Available
Vendor-mendelsonn/a
Product-oftp2n/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-3806
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-5.3||MEDIUM
EPSS-0.70% / 48.94%
||
7 Day CHG+0.02%
Published-18 Sep, 2021 | 13:20
Updated-18 May, 2026 | 09:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path Traversal in Pardus Software Center

A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.

Action-Not Available
Vendor-tubitakTUBITAK
Product-pardus_software_centerPardus Software Center
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-6908
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.1||LOW
EPSS-0.76% / 50.95%
||
7 Day CHG~0.00%
Published-18 Dec, 2023 | 01:00
Updated-02 Aug, 2024 | 08:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DFIRKuiper TAR Archive case_management.py unzip_file path traversal

A vulnerability, which was classified as problematic, was found in DFIRKuiper Kuiper 2.3.4. This affects the function unzip_file of the file kuiper/app/controllers/case_management.py of the component TAR Archive Handler. The manipulation of the argument dst_path leads to path traversal. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 2.3.5 is able to address this issue. The identifier of the patch is 94fa135153002f651f5526c55a7240e083db8d73. It is recommended to upgrade the affected component. The identifier VDB-248277 was assigned to this vulnerability.

Action-Not Available
Vendor-dfirkuiperDFIRKuiper
Product-kuiperKuiper
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-3964
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.78% / 51.75%
||
7 Day CHG~0.00%
Published-01 Dec, 2021 | 11:25
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization Bypass Through User-Controlled Key in elgg/elgg

elgg is vulnerable to Authorization Bypass Through User-Controlled Key

Action-Not Available
Vendor-elggelgg
Product-elggelgg/elgg
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2020-5720
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-5.9||MEDIUM
EPSS-1.06% / 60.76%
||
7 Day CHG~0.00%
Published-06 Feb, 2020 | 16:51
Updated-04 Aug, 2024 | 08:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MikroTik WinBox before 3.21 is vulnerable to a path traversal vulnerability that allows creation of arbitrary files wherevere WinBox has write permissions. WinBox is vulnerable to this attack if it connects to a malicious endpoint or if an attacker mounts a man in the middle attack.

Action-Not Available
Vendor-n/aMikroTik
Product-winboxMikroTik WinBox
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-6111
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-58.20% / 98.99%
||
7 Day CHG~0.00%
Published-31 Jan, 2019 | 00:00
Updated-18 Dec, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

Action-Not Available
Vendor-winscpn/aDebian GNU/LinuxFujitsu LimitedThe Apache Software FoundationFreeBSD FoundationSiemens AGRed Hat, Inc.Fedora ProjectCanonical Ltd.OpenBSD
Product-enterprise_linux_server_ausm10-4enterprise_linux_eusopensshm12-2s_firmwarem10-4_firmwarem10-4sm12-1_firmwareubuntu_linuxscalance_x204rna_eec_firmwaremina_sshdm12-1m12-2sm12-2_firmwarem10-4s_firmwareenterprise_linuxenterprise_linux_server_tusm12-2winscpfreebsddebian_linuxfedorascalance_x204rnam10-1_firmwarescalance_x204rna_eecscalance_x204rna_firmwarem10-1n/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Details not found