libssh2 CVE-2026-55200: Pre-auth RCE via Malicious Server, Attack Surface Shifts to Clients
A critical heap out-of-bounds write vulnerability (CVE-2026-55200, CVSS 9.2) in libssh2 allows a malicious SSH server to achieve pre-auth RCE on connecting clients. The flaw affects curl, Git, PHP, and many other projects statically linking the library, expanding the attack surface from servers to virtually any client application, including CI/CD, backup, and embedded systems.