Description
pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.
Published: 2026-03-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion
Action: Immediate Patch
AI Analysis

Impact

A path traversal flaw exists during password verification of encrypted 7z archives that have non-encrypted headers. The vulnerability allows a crafted archive to cause pyLoad to delete files outside its intended extraction directory, leading to loss of data and potential system compromise. The weakness is identified as a location-based input validation error.

Affected Systems

The pyLoad download manager, including the pyload-ng project, is affected. Versions prior to 0.5.0b3.dev97 lack the fix; all earlier releases are vulnerable.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, indicating high severity, while EPSS is below 1%, suggesting a low likelihood of widespread exploitation. It is not listed in CISA’s KEV catalog. An attacker would need to supply a malicious 7z file that passes encryption header checks, then trigger the password verification routine to delete arbitrary files. The impact is limited to files accessible by the user account under which pyLoad runs.

Generated by OpenCVE AI on March 26, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pyLoad to version 0.5.0b3.dev97 or later.
  • Confirm that pyLoad does not run with elevated privileges to reduce potential damage.

Generated by OpenCVE AI on March 26, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Pyload-ng Project
Pyload-ng Project pyload-ng
CPEs cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*
cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
Vendors & Products Pyload-ng Project
Pyload-ng Project pyload-ng

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.
Title pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

Pyload Pyload
Pyload-ng Project Pyload-ng
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:29:07.756Z

Reserved: 2026-03-16T17:35:36.695Z

Link: CVE-2026-32808

cve-icon Vulnrichment

Updated: 2026-03-25T14:28:44.482Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:34.683

Modified: 2026-03-26T18:36:48.053

Link: CVE-2026-32808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:35Z

Weaknesses