{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T16:57:36.520","vulnerabilities":[{"cve":{"id":"CVE-2026-32116","sourceIdentifier":"security-advisories@github.com","published":"2026-03-12T18:16:24.930","lastModified":"2026-03-16T18:02:21.613","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0."},{"lang":"es","value":"Magic Wormhole permite obtener archivos y directorios de tamaño arbitrario de un ordenador a otro. Desde la versión 0.21.0 hasta antes de la 0.23.0, recibir un archivo (wormhole receive) de un actor malicioso podría resultar en la sobrescritura de archivos locales críticos, incluyendo ~/.ssh/authorized_keys y .bashrc. Esto podría utilizarse para comprometer el ordenador del receptor. Solo el remitente del archivo (el actor que ejecuta wormhole send) puede llevar a cabo el ataque. Otras partes (incluyendo los servidores de tránsito/retransmisión) quedan excluidas por el protocolo wormhole. Esta vulnerabilidad está corregida en la versión 0.23.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:magic-wormhole_project:magic_wormhole:*:*:*:*:*:python:*:*","versionStartIncluding":"0.21.0","versionEndExcluding":"0.23.0","matchCriteriaId":"DB258A1D-FF14-459B-9EAC-8B4EE6F2B27F"}]}]}],"references":[{"url":"https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}}]}