Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.6

CVE-2026-41589: Wish SCP Middleware Path Traversal Vulnerability

CVE-2026-41589 GHSA-xjvp-7243-rg9h GO-2026-5762
Summary

The Wish SCP middleware in versions 2.0.0 to 2.0.1 allows a malicious client to access and modify files outside the intended directory, potentially leading to unauthorized data access or corruption. This vulnerability has been fixed in version 2.0.1. We recommend updating to the latest version to ensure security.

What to do
  • Update wish charm.land/wish/v2 to version 2.0.1.
  • Update charm.land wish to version 2.0.1.
Affected software
Ecosystem VendorProductAffected versions
Go wish charm.land/wish/v2 < 2.0.1
Fix: upgrade to 2.0.1
Go charmbracelet github.com/charmbracelet/wish <= 1.4.7
go charm.land wish < 2.0.1
Fix: upgrade to 2.0.1
go github.com charmbracelet <= 1.4.7
Original title
Wish has SCP Path Traversal that allows arbitrary file read/write in charm.land/wish
Original description
Wish has SCP Path Traversal that allows arbitrary file read/write in charm.land/wish
nvd CVSS3.1 9.6
Vulnerability type
CWE-22 Path Traversal
Published: 7 Jul 2026 · Updated: 7 Jul 2026 · First seen: 7 May 2026