CVE-2026-29778 - Vulnerability Details

- pyLoad: Arbitrary File Write via Path Traversal in edit_package()

Description

pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.

Published: 2026-03-07

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from the edit_package() function in pyLoad, which inadequately sanitizes the pack_folder parameter, relying on a single-pass replacement of "../". Crafted recursive traversal sequences bypass this check, allowing the attacker to write to any path relative to the pyLoad installation. This path traversal flaw is classified as CWE-23 and can lead to arbitrary file overwrites, potentially replacing critical configuration files or injecting malicious scripts.

Affected Systems

pyLoad, versions 0.5.0b3.dev13 through 0.5.0b3.dev96 inclusive. The issue is fixed in 0.5.0b3.dev97 and later revisions; earlier or lower-numbered releases are unaffected.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate severity, while the EPSS score of <1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker would need local execution or control over pyLoad to trigger edit_package() with a crafted pack_folder value. The likely attack vector is a local user or a compromised local process. In environments where untrusted input can be supplied to pyLoad, or where multiple users share the same installation, the risk escalates, as unauthorized file writes could compromise user data or the pyLoad configuration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pyload

affected

Version	Status	Constraints
`>= 0.5.0b3.dev13, < 0.5.0b3.dev97`	affected	—

Configuration 1 [-]

cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*

No data.

Vendor Product Confidence Versions

Pyload

100%

Version	Status	Scheme	Platform
`[0.5.0b3.dev13,0.5.0b3.dev97)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pyLoad to version 0.5.0b3.dev97 or newer to apply the official patch
If immediate upgrade is not possible, restrict access to the edit_package feature to trusted users and disable or sandbox untrusted plugins
As an additional defense, implement custom path sanitization that ensures pack_folder does not resolve outside the intended download directory

Generated by OpenCVE AI on April 17, 2026 at 12:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-6px9-j4qr-xfjw	pyLoad has an Arbitrary File Write via Path Traversal in edit_package()

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw

History

Wed, 11 Mar 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pyload-ng Project Pyload-ng Project pyload-ng
CPEs		cpe:2.3:a:pyload-ng_project:pyload-ng::::::python::*
Vendors & Products		Pyload-ng Project Pyload-ng Project pyload-ng

Mon, 09 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pyload Pyload pyload
Vendors & Products		Pyload Pyload pyload

Sat, 07 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.
Title		pyLoad: Arbitrary File Write via Path Traversal in edit_package()
Weaknesses		CWE-23
References		https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}`

Subscriptions

Pyload Pyload

Pyload-ng Project Pyload-ng

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-07T15:28:36.919Z

Updated: 2026-03-09T18:26:46.896Z

Reserved: 2026-03-04T16:26:02.898Z

Link: CVE-2026-29778

Vulnrichment

Updated: 2026-03-09T17:52:32.765Z

NVD

Status : Analyzed

Published: 2026-03-07T16:15:54.800

Modified: 2026-03-11T22:09:15.240

Link: CVE-2026-29778

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T12:15:18Z

Weaknesses

CWE-23

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object