CVE-2026-41589: Wish has SCP Path Traversal that allows arbitrary file read/write

April 18, 2026 (updated May 8, 2026)

The SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol.

References

github.com/advisories/GHSA-xjvp-7243-rg9h
github.com/charmbracelet/wish
github.com/charmbracelet/wish/releases/tag/v2.0.1
github.com/charmbracelet/wish/security/advisories/GHSA-xjvp-7243-rg9h
nvd.nist.gov/vuln/detail/CVE-2026-41589

Code Behaviors & Features

Detect and mitigate CVE-2026-41589 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →