CVE-2026-41589
Wish has SCP Path Traversal that allows arbitrary file read/write
CVSS Score
9.6
EPSS Score
0.0%
EPSS Percentile
0th
Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1.
| CWE | CWE-22 |
| Vendor | charmbracelet |
| Product | wish |
| Published | May 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for charmbracelet wish
Be the first to know when new critical vulnerabilities affecting charmbracelet wish are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
charmbracelet / wish
>= 2.0.0, < 2.0.1