CVE-2026-41589
🔴 Łataj teraz
Atak na SCP w Wish umożliwia odczyt i zapis plików poza katalogiem głównym.
CVSS
9.6
EPSS
0.1%
Exploit
poc
Vendor
charm
Opis źródłowy (NVD)
Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1.
exploit path-traversal
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.6 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.1% |
| Opublikowano (NVD) | 2026-05-07 14:16:02 UTC |
| Ostatnia modyfikacja (NVD) | 2026-05-29 15:23:29 UTC |
Referencje
- https://github.com/charmbracelet/wish/releases/tag/v2.0.1 (security-advisories@github.com) [Release Notes]
- https://github.com/charmbracelet/wish/security/advisories/GHSA-xjvp-7243-rg9h (security-advisories@github.com) [Exploit, Mitigation, Vendor Advisory]