CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-54590

mediumCVSS 5.9covered by 1 sourcefirst seen 2026-07-08
AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in AuthorizedKeysFile but does not block a leading ~ or ${ENV}, allowing later expansion in _expand_val and Path(filename).expanduser() to escape the intended authorized-keys directory. This issue is fixed in version 2.23.1.

⚡ Watch CVE-2026-54590

Get an email if CVE-2026-54590 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-54590

CVE.org record

Embed the live status

CVE-2026-54590 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-54590 status](https://www.csirts.com/badge/CVE-2026-54590)](https://www.csirts.com/cve/CVE-2026-54590)