{"id":"CVE-2026-42448","summary":"wormhole receive, with --output pointing at an existing directory can be path-traversed","details":"Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies \"--output \u003cdir\u003e\" where that output directory currently exists (as a directory). This vulnerability is fixed in 0.24.0.","aliases":["GHSA-cf92-gfcw-6v53"],"modified":"2026-07-08T08:13:19.360177839Z","published":"2026-05-26T17:57:20.946Z","database_specific":{"cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42448.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42448.json"},{"type":"ADVISORY","url":"https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-cf92-gfcw-6v53"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42448"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/magic-wormhole/magic-wormhole","events":[{"introduced":"0"},{"fixed":"3bf46e020341ff966aa1ca58d7260005256c1a8f"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"0.24.0"}]}}],"versions":["0.19.2","0.12.0","0.11.2","0.11.1","0.11.0","0.10.5","0.10.4","0.10.3","0.10.2","0.10.1","0.10.0","0.9.2","0.9.1","0.9.0","0.8.2","0.8.1","0.8.0","0.7.6","0.7.5","0.7.0","0.6.3","0.6.2","0.6.1","0.6.0","0.5.0","0.4.0","0.3.0","0.2.0","0.1.0","0.0.6","0.0.5","0.0.4","0.0.3","0.0.2","0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42448.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"}]}