EUVD-2026-31947
Path Traversal (CWE-22)
GHSA-cf92-gfcw-6v53
3.5
CVSS 3.1
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Lifecycle Timeline
3
Source Code Evidence Fetched
May 06, 2026 - 21:31 vuln.today
Analysis Generated
May 06, 2026 - 21:31 vuln.today
CVE Published
May 06, 2026 - 20:40 nvd
LOW 3.5
DescriptionNVD
Impact
A receiver who specifies "--output <dir>" where that output directory currently exists (as a directory).
Patches
0.24.0 will contain the patch
Workarounds
Ensure local target directories specified by "--output" do not already exist
Resources
Private email and Signal communications from a user. Magic Wormhole thanks @marduc812
AnalysisAI
Path traversal vulnerability in Magic Wormhole receive command allows authenticated attackers to write files outside the intended output directory when the specified output directory already exists, enabling arbitrary file write with low complexity via network delivery of a specially crafted transfer request.
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).