CVE-2026-42448 LOW

CVE-2026-42448: wormhole receive, with --output pointing at an existing directory can be path-traversed

Vendor Magic-Wormhole
Product magic-wormhole
Weakness CWE-22 · Path traversal
Published May 26, 2026
Last update May 27, 2026

CVSS base score

3.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output <dir>" where that output directory currently exists (as a directory). This vulnerability is fixed in 0.24.0.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 27, 2026 Record updated