CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-58494

mediumCVSS 6.5covered by 1 sourcefirst seen 2026-07-08
Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite host files exposed as FilePerms::READ through wasip1, wasip2, or wasip3 filesystem interfaces. This issue is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1.

⚡ Watch CVE-2026-58494

Get an email if CVE-2026-58494 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-58494

CVE.org record

Embed the live status

CVE-2026-58494 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-58494 status](https://www.csirts.com/badge/CVE-2026-58494)](https://www.csirts.com/cve/CVE-2026-58494)