GHSA-CF92-GFCW-6V53 Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed

Impact A receiver who specifies "--output " where that output directory currently exists as a directory. Patches 0.24.0 will contain the patch Workarounds Ensure local target directories specified by "--output" do not already exist Resources Private email and Signal communications from a user...

PT-2026-38266

Name of the Vulnerable Software and Affected Versions Magic Wormhole versions prior to 0.24.0 Description A path traversal issue exists when a receiver uses the --output option and the specified output directory already exists on the system. Path traversal is a flaw that allows an attacker to...