CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-59997

mediumCVSS 4.2covered by 2 sourcesfirst seen 2026-07-02
internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.

CSIRTS triage

vendor: OpenSSHproduct: OpenSSHOtheraffected: before 10.4
What
OpenSSH's internal-sftp only recognizes the first 9 command-line arguments, potentially compromising SFTP security.
Who is affected
Deployments of OpenSSH before version 10.4 using internal-sftp.
Urgency
Remediation is medium urgency due to the potential security implications, though exploitation is not currently reported.
Action
Upgrade to OpenSSH version 10.4 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-59997

Get an email if CVE-2026-59997 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-59997

CVE.org record

Embed the live status

CVE-2026-59997 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-59997 status](https://www.csirts.com/badge/CVE-2026-59997)](https://www.csirts.com/cve/CVE-2026-59997)