CVE-2026-41589

Name of the Vulnerable Software and Affected Versions Wish versions 2.0.0 through 2.0.0

Description The SCP middleware in charm.land/wish/v2 is subject to path traversal. A malicious SCP client can read and write arbitrary files, as well as create directories outside the configured root directory, by sending crafted filenames containing ../ sequences over the SCP protocol. This occurs because the prefixed() function fails to properly validate that the resolved path remains within the root directory after cleaning the path. This can be exploited through three main vectors: arbitrary file writes during file reception (scp -t), arbitrary file reads during file transmission (scp -f), and file enumeration using glob metacharacters (*, ?, [). If the server uses default authentication that accepts all connections, these actions can be performed by unauthenticated remote attackers.

Recommendations Update to version 2.0.1. As a temporary workaround, restrict access to the scp.Middleware or the scp.NewFileSystemHandler component to minimize the risk of exploitation.