Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100.
Published: 2026-05-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient sanitization of package folder names in pyLoad. The string replacement mistakenly transforms the pattern "....//" into ".._", leaving a residual "..", which can be interpreted by the operating system as a parent directory reference. During later file resolution, this allows an attacker to drop files outside the intended download directory, potentially reading or writing arbitrary files.

Affected Systems

The flaw exists in pyLoad releases before 0.5.0b3.dev100. Any instance of the pyLoad open‑source download manager older than that version is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 denotes a moderate severity. EPSS is not reported and the issue is not listed in CISA’s KEV catalog, suggesting limited exploitation activity so far. Exploitation requires an attacker to supply a package with a malicious folder name. If pyLoad is exposed via a network interface that accepts package uploads, the attacker could trigger the path traversal from remote hosts; otherwise local execution could also be possible. The vulnerability does not grant arbitrary code execution but could be leveraged to overwrite critical system files if permissions allow.

Generated by OpenCVE AI on May 11, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pyLoad to version 0.5.0b3.dev100 or later, which removes the faulty sanitization code.
  • If an immediate upgrade is not feasible, configure the server to validate package folder names and reject any attempt that contains ".." or back‑slash sequences.
  • Restrict package upload functionality to trusted users or network segments and disable untrusted upload paths.

Generated by OpenCVE AI on May 11, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-97r3-5w84-r4q8 PyLoad Vulnerable to Path Traversal via Package Folder Name
History

Mon, 11 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100.
Title pyLoad: Path Traversal via Package Folder Name
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Pyload Pyload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T18:33:46.606Z

Reserved: 2026-04-26T12:37:18.169Z

Link: CVE-2026-42314

cve-icon Vulnrichment

Updated: 2026-05-11T18:32:49.941Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:35.123

Modified: 2026-05-11T20:25:42.537

Link: CVE-2026-42314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T19:45:08Z

Weaknesses