Home / Vulnerability Intelligence / CVE-2026-41589

CVE-2026-41589 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: May 7, 2026

Wish SSH Server - Path Traversal

Published: May 7, 2026Updated: May 7, 2026Remote Exploitable

Overview

Wish SSH server 2.0.0 to < 2.0.1 contains a path traversal vulnerability in SCP middleware caused by crafted filenames with ../ sequences, letting malicious SCP clients read/write arbitrary files and create directories outside root, exploit requires SCP client interaction.

Severity & Score

Severity: Critical

CVSS Score: 9.6

Impact

Malicious SCP clients can read, write files, and create directories outside the root, compromising server file system integrity.

Mitigation

Upgrade to version 2.0.1 or later.

References

https://github.com/charmbracelet/wish/releases/tag/v2.0.1
https://github.com/charmbracelet/wish/security/advisories/GHSA-xjvp-7243-rg9h

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41589
Severity: Critical
CVSS Score: 9.6
Type: path_traversal
Status: unconfirmed

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N