Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-41589 -- CVSS 9.6 Vulnerability Briefing

CVE-2026-41589 | CVSS 9.6 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-41589 is a path traversal vulnerability in the SCP middleware component of Wish (charm.land/wish/v2), an SSH server library for Go, affecting versions 2.0.0 through 2.0.0.x prior to the 2.0.1 patch release.

Technical Detail

The flaw exists in how the SCP middleware in Wish v2 processes file paths supplied by a connecting client, failing to properly sanitize or restrict path components before resolving them on the server filesystem. An attacker with the ability to initiate an SCP session can supply crafted path sequences, such as directory traversal strings, to read from or potentially write to locations outside the intended directory scope. Depending on server configuration and file permissions, successful exploitation could result in unauthorized file disclosure or file write primitives that enable further compromise of the host system.

Exploitation Status

No known exploit code has been identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning no public proof-of-concept or operational tooling has been confirmed as of May 14, 2026. However, path traversal vulnerabilities in file transfer protocols are generally straightforward to exploit once the flaw is understood, and the availability of the patch may accelerate reverse-engineering efforts.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence sources.

What To Do

Upgrade to Wish v2.0.1 or later immediately, as this release contains the fix for the path traversal condition in the SCP middleware. Organizations running any deployment of Wish v2.0.0 that exposes SCP functionality should treat this as a priority patch given the CVSS score of 9.6 and the nature of the flaw. If an immediate upgrade is not feasible, consider disabling or restricting access to the SCP middleware as a temporary workaround, and audit server-side file access logs for anomalous path patterns indicative of traversal attempts. Detection teams should monitor SCP session logs for path strings containing sequences such as "../" or absolute path references outside expected working directories.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →