What is the CVSS score of EUVD-2026-28370?

EUVD-2026-28370 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Wish SSH Server are affected by EUVD-2026-28370?

A critical path traversal vulnerability in Charmbracelet Wish SSH server (versions 1.x and 2.0.0-2.0.1) allows authenticated users to read, write, and create files outside configured boundaries,…. A patch is available.

How to fix or mitigate EUVD-2026-28370?

Within 24 hours: Identify all systems running charm.land/wish or github.com/charmbracelet/wish and document their versions. Within 7 days: Upgrade all v2.x deployments to v2.0.2 or later; for v1.x installations, contact vendor for patched release or migrate to v2.x patched version. Within 30 days: Conduct log review of SCP activity for suspicious path traversal patterns (../ sequences in filenames); restrict SSH access to Wish-based servers to only required users and implement filesystem-level restrictions on SCP root directories as defense-in-depth.

Wish SSH Server EUVD-2026-28370

| CVE-2026-41589 CRITICAL

Path Traversal (CWE-22)

2026-05-07 GitHub_M

GHSA-xjvp-7243-rg9h

Path Traversal

9.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 07, 2026 - 14:31 vuln.today

Analysis Generated

May 07, 2026 - 14:31 vuln.today

CVE Published

May 07, 2026 - 13:17 nvd

CRITICAL 9.6

DescriptionNVD

Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1.

AnalysisAI

Path traversal in Wish SSH server's SCP middleware allows authenticated attackers to read arbitrary files, write arbitrary files, and create directories outside the configured root via crafted filenames containing ../ sequences. Affects charm.land/wish/v2 versions 2.0.0 through 2.0.1 and all github.com/charmbracelet/wish v1.x versions. …

RemediationAI

Within 24 hours: Identify all systems running charm.land/wish or github.com/charmbracelet/wish and document their versions. Within 7 days: Upgrade all v2.x deployments to v2.0.2 or later; for v1.x installations, contact vendor for patched release or migrate to v2.x patched version. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-28370 vulnerability details – vuln.today

Back