PYSEC-2026-2616

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/magic-wormhole/PYSEC-2026-2616.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2616
Aliases
Published
2026-07-13T15:15:39.233478Z
Modified
2026-07-13T16:32:12.324034954Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed
Details

Impact

A receiver who specifies "--output <dir>" where that output directory currently exists (as a directory).

Patches

0.24.0 will contain the patch

Workarounds

Ensure local target directories specified by "--output" do not already exist

Resources

Private email and Signal communications from a user. Magic Wormhole thanks @marduc812

References

Affected packages

PyPI / magic-wormhole

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.23.0
Fixed
0.24.0

Affected versions

0.*
0.23.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/magic-wormhole/PYSEC-2026-2616.yaml"