CVE-2026-47187, CVE-2026-48711: sshfs &lt;= 3.7.5 symlink escape (local file read/write) and ssh argument injection (local command execution) Open Source Security / 9h Affected versions: sshfs <= 3.7.5 Fixed in: sshfs 3.7.6 https://github.com/libfuse/sshfs/releases/tag/sshfs-3.7.6 CVE-2026-47187: Symlink escape - rogue SFTP server -> local file read/write Severity: Critical (CVSS 9.3, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) CWE: CWE-59 (Improper Link Resolution Before File Access) A rogue

Source: seclists.org

Published:

Read original article