Path Traversal in Magic-wormhole

CVE-2026-32116

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (29.5th percentile) — read the EPSS interpretation.

Affected products

Magic-wormhole — versions >= 0.21.0, < 0.23.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r (x_refsource_CONFIRM)