Description

Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1.

INFO

Published Date :

2026-05-07T13:17:58.717Z

Last Modified :

2026-05-07T14:41:57.990Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41589 vulnerability.

Vendors Products
Charmbracelet
  • Wish
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41589.

URL Resource
https://github.com/charmbracelet/wish/releases/tag/v2.0.1 cve-icon cve-icon
https://github.com/charmbracelet/wish/security/advisories/GHSA-xjvp-7243-rg9h cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact