CVE-2026-48711 is a high-severity argument injection vulnerability in sshfs affecting confirmed versions 1.4 through 3.7.5. The flaw arises from hostname processing of a crafted positional mount source such as "[-oProxyCommand=CMD]:/path". During parsing, sshfs treats the bracketed value as if it were an IPv6 literal; find_base_path() strips the brackets and leaves "-oProxyCommand=CMD" as the hostname. sshfs then passes this attacker-controlled hostname to the ssh client as an argument without validating that it is a legitimate hostname. Under the documented exploitation conditions, this allows attacker-supplied SSH options to be injected into the ssh invocation, including ProxyCommand, resulting in local command execution before the SSH connection fails. The issue is described as not requiring successful SSH authentication for code execution to occur.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.