The vulnerability resides in pyLoad’s _safe_extractall() function, which verifies extraction paths using a character‑level comparison. This allows a specially crafted tar archive to create files outside the intended directory, compromising file integrity and potentially overwriting critical system files. The weakness is a typical path‑traversal flaw that can lead to arbitrary file write, with the extent of damage depending on the directory the application runs in. The identified weakness maps to CWE‑22, indicating a security issue where untrusted input influences a path computation that is not adequately validated.

Any installation of pyLoad before version 0.5.0b3.dev97 is affected. The product is the open‑source download manager pyLoad, maintained by the pyload community. Users running older revisions that still use the _safe_extractall() routine with os.path.commonprefix() are vulnerable. Upgrading to 0.5.0b3.dev97 or later resolves the issue.

The CVSS score of 5.3 signifies a moderate severity, meaning the vulnerability can be exploited in a non‑interactive or low‑privilege scenario. EPSS data is unavailable, so the exact likelihood of exploitation cannot be quantified, but the flaw is not listed in the CISA KEV catalog, suggesting no known exploitation at the time. The attack vector is inferred to be local file system traversal: an attacker can supply a malicious tar file to pyLoad, resulting in files being written outside the designated extraction directory. If pyLoad runs with elevated privileges or writes to sensitive locations, the potential impact could be high. Nonetheless, without confirmed exploitation, the risk remains moderate pending further monitoring.