CVE-2026-42315 - Vulnerability Details

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.

Published: 2026-05-11

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

pyLoad, a popular open‑source download manager, contains a path traversal flaw in its set_package_data() API. When an attacker with the Perms.MODIFY permission supplies a folder name under the key "_folder", the value is concatenated directly to the host’s file system path without any form of sanitization. This omission allows the attacker to specify directories outside the intended download directory, enabling the creation or modification of any file on the system. The ability to overwrite critical files or place malicious payloads can lead to remote code execution or complete compromise of the host.

Affected Systems

The vulnerability exists in every version of pyLoad before 0.5.0b3.dev100. Administrators should determine whether their installations are running one of these older releases. Versions 0.5.0b3.dev100 and later have added path sanitization to the set_package_data() handler, eliminating the flaw.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity issue. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation to date. Exploitation requires the attacker to have Modify privileges and the ability to invoke set_package_data(); therefore the threat is primarily privileged and local. The problem is classified as CWE‑22 and CWE‑36, covering relative and absolute path traversal.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pyload

affected

Version	Status	Constraints
`< 0.5.0b3.dev100`	affected	—

No data.

Vendor Product Confidence Versions

Pyload

100%

Version	Status	Scheme	Platform
`[0,0.5.0b3.dev100)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update pyLoad to version 0.5.0b3.dev100 or newer, which sanitizes folder names passed to set_package_data().
Enforce least privilege by limiting the Perms.MODIFY permission to trusted users only, reducing the window for an attacker to specify malicious directories.
Implement input validation for the "_folder" value—reject or normalize relative path components, enforce a whitelist of allowable download directories, and reject attempts to escape the configured base path.
Configure logging or monitoring to detect unusual download target paths, providing early warning of potential abuse of the set_package_data() API.

Generated by OpenCVE AI on May 11, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-838g-gr43-qqg9	PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00059.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9

History

Mon, 11 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pyload Pyload pyload
Vendors & Products		Pyload Pyload pyload

Mon, 11 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.
Title		pyLoad: Path Traversal via Package Folder Name in set_package_data
Weaknesses		CWE-22 CWE-36
References		https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

Pyload Pyload

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T16:35:32.099Z

Updated: 2026-05-11T20:16:10.716Z

Reserved: 2026-04-26T12:37:18.170Z

Link: CVE-2026-42315

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-11T18:16:35.260

Modified: 2026-05-11T21:19:00.410

Link: CVE-2026-42315

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T20:00:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object