CVE-2026-42448
LOWwormhole receive, with --output pointing at an existing directory can be path-traversed
Title source: cnaDescription
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output <dir>" where that output directory currently exists (as a directory). This vulnerability is fixed in 0.24.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-cf92-gfcw-6v53
Scores
CVSS v3
3.5
EPSS
0.0020
EPSS Percentile
9.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
magic-wormhole/magic-wormhole
< 0.24.0
pypi/magic-wormhole
0.23.0 - 0.24.0PyPI
Published
May 26, 2026
Tracked Since
May 26, 2026