Home

Description

pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.

PUBLISHED Reserved 2026-03-16 | Published 2026-03-20 | Updated 2026-03-25 | Assigner GitHub_M




HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

>= 0.4.9-6262-g2fa0b11d3, < 0.5.0b3.dev97
affected

References

github.com/...pyload/security/advisories/GHSA-7g4m-8hx2-4qh3

cve.org (CVE-2026-32808)

nvd.nist.gov (CVE-2026-32808)

Download JSON