PyPI package
magic-wormhole
pkg:pypi/magic-wormhole
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42448 | Low | 3.5 | >= 0.23.0, < 0.24.0 | 0.24.0 | May 26, 2026 | Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output " where that output directory currently exists (as a directory). This vulnerability | |
| CVE-2026-32116 | — | >= 0.21.0, < 0.23.0 | 0.23.0 | Mar 12, 2026 | Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys |
- affected >= 0.23.0, < 0.24.0fixed 0.24.0
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output " where that output directory currently exists (as a directory). This vulnerability
- CVE-2026-32116Mar 12, 2026affected >= 0.21.0, < 0.23.0fixed 0.23.0
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys