Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-cf92-gfcw-6v53 | Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed |
Wed, 27 May 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 26 May 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Magic-wormhole
Magic-wormhole magic-wormhole |
|
| Vendors & Products |
Magic-wormhole
Magic-wormhole magic-wormhole |
Tue, 26 May 2026 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output <dir>" where that output directory currently exists (as a directory). This vulnerability is fixed in 0.24.0. | |
| Title | wormhole receive, with --output pointing at an existing directory can be path-traversed | |
| Weaknesses | CWE-22 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-27T13:17:27.943Z
Reserved: 2026-04-27T13:55:58.693Z
Link: CVE-2026-42448
Updated: 2026-05-27T13:17:24.371Z
Status : Deferred
Published: 2026-05-26T18:16:48.320
Modified: 2026-06-17T10:47:51.530
Link: CVE-2026-42448
No data.
OpenCVE Enrichment
Updated: 2026-05-26T20:00:12Z
Github GHSA