Based on reporting by The Hacker News →
Introduction
A public proof-of-concept exploit has emerged for a critical vulnerability in libssh2, the client-side SSH library used by thousands of applications and operating systems. This flaw flips the typical server-side attack script: this time, the SSH server itself can weaponize against the connecting client.
The problem
According to a recent report by The Hacker News, a public proof-of-concept exploit has been released for CVE-2026-55200, a critical vulnerability in the libssh2 library. The flaw, carrying a CVSS 4.0 score of 9.2, resides entirely on the client side. Its mechanics are unsettling: a malicious or compromised SSH server can trigger memory corruption in any connecting client that uses a vulnerable version of libssh2. No credentials are required, and the attack requires no user interaction beyond the initial connection. The bug affects every libssh2 release up to and including version 1.11.1.
Consequences
Successful exploitation could allow an attacker operating the rogue server to achieve code execution on the client machine. This means a developer, system administrator, or automated CI/CD pipeline that connects via SSH to what appears to be a legitimate host could have their endpoint compromised silently. The potential for lateral movement and data exfiltration from compromised client systems is significant, especially given the library's embedded use in tools like cURL, Git clients, and various OS utilities.