Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.6
CVE-2026-41589: Wish SCP Middleware Path Traversal Vulnerability
CVE-2026-41589
GHSA-xjvp-7243-rg9h
GO-2026-5762
Summary
The Wish SCP middleware in versions 2.0.0 to 2.0.1 allows a malicious client to access and modify files outside the intended directory, potentially leading to unauthorized data access or corruption. This vulnerability has been fixed in version 2.0.1. We recommend updating to the latest version to ensure security.
What to do
- Update wish charm.land/wish/v2 to version 2.0.1.
- Update charm.land wish to version 2.0.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Go | wish | charm.land/wish/v2 |
< 2.0.1 Fix: upgrade to 2.0.1
|
| Go | charmbracelet | github.com/charmbracelet/wish | <= 1.4.7 |
| go | charm.land | wish |
< 2.0.1 Fix: upgrade to 2.0.1
|
| go | github.com | charmbracelet | <= 1.4.7 |
Original title
Wish has SCP Path Traversal that allows arbitrary file read/write in charm.land/wish
Original description
Wish has SCP Path Traversal that allows arbitrary file read/write in charm.land/wish
nvd CVSS3.1
9.6
Vulnerability type
CWE-22
Path Traversal
Published: 7 Jul 2026 · Updated: 7 Jul 2026 · First seen: 7 May 2026