CVE-2025-14524: bearer token leak on cross-protocol redirect

Bug reported by anonymous237 was disclosed at January 7, 2026, 10:13 am   |   Insufficiently Protected Credentials

CVE-2025-15079: libssh global knownhost override

Bug reported by nyymi was disclosed at January 7, 2026, 8:04 am   |   Improper Validation of Certificate with Host Mismatch

A vulnerability was discovered in libssh where the `SSH_OPTIONS_GLOBAL_KNOWNHOSTS` option was used to specify a global known_hosts file. If the host was not found in the file specified by `SSH_OPTIONS_KNOWNHOSTS`, the global file was checked, potentially allowing any host identities specified in the default file to be accepted. This was significant when the user tried to limit the known hosts to ones specified in their own file, as the global file would be checked if no match was found.

CVE-2025-15224: libssh key passphrase bypass without agent set

Bug reported by nyymi was disclosed at January 7, 2026, 8:03 am   |  

A vulnerability was discovered in the libcurl libssh backend where the CURLOPT_SSH_AUTH_TYPES option did not properly implement the CURLSSH_AUTH_AGENT flag. As a result, if the CURLSSH_AUTH_PUBLICKEY option was set, the implementation would act as if CURLSSH_AUTH_AGENT was always defined, allowing authentication without the required key passphrase.