dbclient in Dropbear SSH before 2025.88 allows command injection via an untrusted hostname argument, because a shell is used.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47203.json",
"cna_assigner": "mitre",
"cwe_ids": [
"CWE-78"
]
}