[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2016-3115":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T02:55:30.529Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":34,"aliases":49,"duplicate_of":9,"upstream":50,"downstream":51,"duplicates":74,"related":75,"reserved_at":9,"published_at":81,"modified_at":82,"state":83,"summary":84,"references_raw":92,"kevs":209,"epss":210,"epss_history":213,"metrics":450,"affected":465},"CVE-2016-3115","Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.",null,[11,18],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":9,"likelihood_of_exploit":9,"capec":17},"NVD-CWE-OTHER","Other","NVD uses this CWE ID when the weakness does not map to any existing CWE entry.","placeholder","NVD-Reserved",[],{"_key":19,"id":19,"name":20,"description":21,"type":22,"status":23,"abstraction":24,"likelihood_of_exploit":9,"capec":25},"CWE-93","Improper Neutralization of CRLF Sequences ('CRLF Injection')","The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.","weakness","Draft","Base",[26,30],{"id":27,"name":28,"techniques":29},"CAPEC-15","Command Delimiters",[],{"id":31,"name":32,"techniques":33},"CAPEC-81","Web Server Logs Tampering",[],[35],{"_key":36,"name":37,"source":38,"url":39,"maturity":40,"reliability_score":41,"verified":42,"type":43,"platforms":44,"requires_auth":9,"exploitdb":46,"metasploit":9},"39569","OpenSSH 7.2p1 - (Authenticated) xauth Command Injection","exploit-database","https://www.exploit-db.com/exploits/39569","poc",0.5,false,"remote",[45],"multiple",{"verified":42,"type":43,"platform":45,"file":47,"codes":48},"exploits/multiple/remote/39569.py",[7],[],[],[52,54,56,58,60,62,64,66,68,70,72],{"_key":53},"RHSA-2016:0466",{"_key":55},"SUSE-SU-2016:1386-1",{"_key":57},"SUSE-SU-2016:1528-1",{"_key":59},"SUSE-SU-2016:2388-1",{"_key":61},"SUSE-SU-2016:2555-1",{"_key":63},"DLA-1500-1",{"_key":65},"MGASA-2016-0108",{"_key":67},"DEBIAN-CVE-2016-3115",{"_key":69},"RHSA-2016:0465",{"_key":71},"UBUNTU-CVE-2016-3115",{"_key":73},"USN-2966-1",[],[76,77,78,79,80],{"_key":55},{"_key":57},{"_key":59},{"_key":61},{"_key":65},"2016-03-22T10:00:00.000Z","2026-05-29T20:27:16.046Z","Modified",{"cisa_kev":42,"cisa_ransomware":42,"cisa_vendor":9,"epss_severity":85,"epss_score":86,"severity":87,"severity_score":88,"severity_version":89,"severity_source":90,"severity_vector":91,"severity_status":83},"critical",0.50367,"medium",6.4,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",[93,100,104,109,113,118,122,128,133,137,143,148,152,156,160,164,169,174,178,184,188,193,197,201,205],{"url":94,"sources":95,"tags":97},"http://www.openssh.com/txt/x11fwd.adv",[96,90],"cve.org",[98,99],"X Refsource CONFIRM","Vendor Advisory",{"url":101,"sources":102,"tags":103},"http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html",[96,90],[98,99],{"url":105,"sources":106,"tags":107},"https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115",[96,90],[108],"X Refsource MISC",{"url":110,"sources":111,"tags":112},"http://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html",[96,90],[108],{"url":114,"sources":115,"tags":116},"https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc",[96,90],[99,117],"X Refsource FREEBSD",{"url":119,"sources":120,"tags":121},"http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html",[96,90],[98],{"url":123,"sources":124,"tags":125},"https://www.exploit-db.com/exploits/39569/",[96,90],[126,127],"Exploit","X Refsource EXPLOIT DB",{"url":129,"sources":130,"tags":131},"http://rhn.redhat.com/errata/RHSA-2016-0466.html",[96,90],[99,132],"X Refsource REDHAT",{"url":134,"sources":135,"tags":136},"http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c",[96,90],[98],{"url":138,"sources":139,"tags":140},"http://www.securitytracker.com/id/1035249",[96,90],[141,142],"VDB Entry","X Refsource SECTRACK",{"url":144,"sources":145,"tags":146},"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html",[96,90],[99,147],"X Refsource FEDORA",{"url":149,"sources":150,"tags":151},"http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",[96,90],[98],{"url":153,"sources":154,"tags":155},"http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h",[96,90],[98],{"url":157,"sources":158,"tags":159},"http://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html",[96,90],[99,147],{"url":161,"sources":162,"tags":163},"https://bto.bluecoat.com/security-advisory/sa121",[96,90],[98],{"url":165,"sources":166,"tags":167},"https://security.gentoo.org/glsa/201612-18",[96,90],[99,168],"X Refsource GENTOO",{"url":170,"sources":171,"tags":172},"http://www.securityfocus.com/bid/84314",[96,90],[141,173],"X Refsource BID",{"url":175,"sources":176,"tags":177},"http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html",[96,90],[99,147],{"url":179,"sources":180,"tags":181},"https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html",[96,90],[182,183],"Mailing List","X Refsource MLIST",{"url":185,"sources":186,"tags":187},"http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html",[96,90],[99,147],{"url":189,"sources":190,"tags":191},"http://seclists.org/fulldisclosure/2016/Mar/47",[96,90],[182,192],"X Refsource FULLDISC",{"url":194,"sources":195,"tags":196},"http://rhn.redhat.com/errata/RHSA-2016-0465.html",[96,90],[99,132],{"url":198,"sources":199,"tags":200},"http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html",[96,90],[99,147],{"url":202,"sources":203,"tags":204},"http://seclists.org/fulldisclosure/2016/Mar/46",[96,90],[182,192],{"url":206,"sources":207,"tags":208},"http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html",[96,90],[99,147],[],{"date":211,"score":86,"percentile":212},"2026-06-04",0.97891,[214,218,220,223,226,228,230,232,234,237,239,242,244,246,248,251,253,256,259,261,263,265,267,269,271,273,275,278,282,285,287,291,294,296,299,302,305,308,311,314,316,319,321,324,327,330,333,335,337,340,342,344,347,350,354,357,360,362,365,368,371,373,376,379,382,384,387,390,393,396,398,401,404,407,410,412,415,417,420,422,424,427,430,433,435,437,440,443,445,447],{"date":215,"score":216,"percentile":217},"2025-11-04",0.46041,0.97486,{"date":219,"score":216,"percentile":217},"2025-11-05",{"date":221,"score":216,"percentile":222},"2025-11-06",0.97484,{"date":224,"score":216,"percentile":225},"2025-11-07",0.97485,{"date":227,"score":216,"percentile":222},"2025-11-08",{"date":229,"score":216,"percentile":222},"2025-11-09",{"date":231,"score":216,"percentile":222},"2025-11-10",{"date":233,"score":216,"percentile":222},"2025-11-11",{"date":235,"score":216,"percentile":236},"2025-11-12",0.97487,{"date":238,"score":216,"percentile":236},"2025-11-13",{"date":240,"score":216,"percentile":241},"2025-11-14",0.97488,{"date":243,"score":216,"percentile":217},"2025-11-15",{"date":245,"score":216,"percentile":236},"2025-11-16",{"date":247,"score":216,"percentile":236},"2025-11-17",{"date":249,"score":216,"percentile":250},"2025-11-18",0.97491,{"date":252,"score":216,"percentile":250},"2025-11-19",{"date":254,"score":216,"percentile":255},"2025-11-20",0.97492,{"date":257,"score":216,"percentile":258},"2025-11-21",0.97482,{"date":260,"score":216,"percentile":258},"2025-11-22",{"date":262,"score":216,"percentile":258},"2025-11-23",{"date":264,"score":216,"percentile":222},"2025-11-24",{"date":266,"score":216,"percentile":225},"2025-11-25",{"date":268,"score":216,"percentile":225},"2025-11-26",{"date":270,"score":216,"percentile":236},"2025-11-27",{"date":272,"score":216,"percentile":241},"2025-11-28",{"date":274,"score":216,"percentile":225},"2025-11-29",{"date":276,"score":216,"percentile":277},"2025-11-30",0.97483,{"date":279,"score":280,"percentile":281},"2025-12-01",0.48342,0.97621,{"date":283,"score":280,"percentile":284},"2025-12-02",0.9762,{"date":286,"score":280,"percentile":281},"2025-12-03",{"date":288,"score":289,"percentile":290},"2025-12-04",0.43987,0.97381,{"date":292,"score":289,"percentile":293},"2025-12-05",0.9738,{"date":295,"score":289,"percentile":290},"2025-12-06",{"date":297,"score":289,"percentile":298},"2025-12-07",0.97382,{"date":300,"score":289,"percentile":301},"2025-12-08",0.97385,{"date":303,"score":289,"percentile":304},"2025-12-09",0.97383,{"date":306,"score":289,"percentile":307},"2025-12-10",0.97388,{"date":309,"score":289,"percentile":310},"2025-12-11",0.9739,{"date":312,"score":289,"percentile":313},"2025-12-12",0.97392,{"date":315,"score":289,"percentile":313},"2025-12-13",{"date":317,"score":289,"percentile":318},"2025-12-14",0.97389,{"date":320,"score":289,"percentile":313},"2025-12-15",{"date":322,"score":289,"percentile":323},"2025-12-16",0.97394,{"date":325,"score":289,"percentile":326},"2025-12-17",0.97396,{"date":328,"score":289,"percentile":329},"2025-12-18",0.97398,{"date":331,"score":289,"percentile":332},"2025-12-19",0.974,{"date":334,"score":289,"percentile":332},"2025-12-20",{"date":336,"score":289,"percentile":329},"2025-12-21",{"date":338,"score":289,"percentile":339},"2025-12-22",0.97397,{"date":341,"score":289,"percentile":326},"2025-12-23",{"date":343,"score":289,"percentile":339},"2025-12-24",{"date":345,"score":289,"percentile":346},"2025-12-25",0.97399,{"date":348,"score":289,"percentile":349},"2025-12-26",0.97401,{"date":351,"score":352,"percentile":353},"2025-12-27",0.54811,0.97942,{"date":355,"score":289,"percentile":356},"2025-12-28",0.97402,{"date":358,"score":289,"percentile":359},"2025-12-29",0.97403,{"date":361,"score":289,"percentile":359},"2025-12-30",{"date":363,"score":289,"percentile":364},"2025-12-31",0.97408,{"date":366,"score":280,"percentile":367},"2026-01-01",0.97644,{"date":369,"score":280,"percentile":370},"2026-01-02",0.97646,{"date":372,"score":280,"percentile":370},"2026-01-03",{"date":374,"score":289,"percentile":375},"2026-01-04",0.9741,{"date":377,"score":289,"percentile":378},"2026-01-05",0.97409,{"date":380,"score":289,"percentile":381},"2026-01-06",0.97411,{"date":383,"score":289,"percentile":381},"2026-01-07",{"date":385,"score":289,"percentile":386},"2026-01-08",0.97413,{"date":388,"score":289,"percentile":389},"2026-01-09",0.97416,{"date":391,"score":289,"percentile":392},"2026-01-10",0.97418,{"date":394,"score":289,"percentile":395},"2026-01-11",0.97417,{"date":397,"score":289,"percentile":395},"2026-01-12",{"date":399,"score":289,"percentile":400},"2026-01-13",0.97419,{"date":402,"score":289,"percentile":403},"2026-01-14",0.97422,{"date":405,"score":289,"percentile":406},"2026-01-15",0.97423,{"date":408,"score":289,"percentile":409},"2026-01-16",0.97425,{"date":411,"score":289,"percentile":409},"2026-01-17",{"date":413,"score":289,"percentile":414},"2026-01-18",0.97421,{"date":416,"score":289,"percentile":406},"2026-01-19",{"date":418,"score":289,"percentile":419},"2026-01-20",0.97424,{"date":421,"score":289,"percentile":409},"2026-01-21",{"date":423,"score":289,"percentile":409},"2026-01-22",{"date":425,"score":289,"percentile":426},"2026-01-23",0.97428,{"date":428,"score":289,"percentile":429},"2026-01-24",0.97429,{"date":431,"score":289,"percentile":432},"2026-01-25",0.97427,{"date":434,"score":289,"percentile":429},"2026-01-26",{"date":436,"score":289,"percentile":429},"2026-01-27",{"date":438,"score":289,"percentile":439},"2026-01-28",0.97431,{"date":441,"score":289,"percentile":442},"2026-01-29",0.97432,{"date":444,"score":289,"percentile":439},"2026-01-30",{"date":446,"score":289,"percentile":442},"2026-01-31",{"date":448,"score":280,"percentile":449},"2026-02-01",0.97664,[451,463],{"source":90,"cvss_v2_0":452,"cvss_v3_0":457,"cvss_v3_1":462,"cvss_v4_0":9},{"baseScore":453,"baseSeverity":9,"vectorString":454,"impactScore":455,"exploitabilityScore":456},5.5,"AV:N/AC:L/Au:S/C:P/I:P/A:N",4.9,8,{"baseScore":88,"baseSeverity":458,"vectorString":459,"impactScore":460,"exploitabilityScore":461},"MEDIUM","CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",4.5,7.9,{"baseScore":88,"baseSeverity":458,"vectorString":91,"impactScore":460,"exploitabilityScore":461},{"source":96,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":464,"cvss_v4_0":9},{"baseScore":88,"baseSeverity":458,"vectorString":91,"impactScore":460,"exploitabilityScore":461},[466,477],{"ecosystem":9,"name":467,"vendor":468,"product":467,"cpe_part":469,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":470},"openssh","openbsd","a",[471],{"version":472,"is_range":473,"range_type":474,"version_start":9,"version_start_type":9,"version_end":475,"version_end_type":476,"fixed_in":9},"lte7.2",true,"cpe","7.2","including",{"ecosystem":9,"name":478,"vendor":479,"product":480,"cpe_part":481,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":482},"vm server","oracle","vm_server","o",[483],{"version":484,"is_range":42,"range_type":474,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"3.2"]