Plattform
python
Komponente
pyload
Behoben in
0.4.10
CVE-2026-32808 is a Path Traversal vulnerability discovered in pyLoad, a free and open-source download manager written in Python. This flaw allows attackers to delete arbitrary files outside the intended extraction directory by manipulating the password verification process of encrypted 7z archives. The vulnerability affects versions prior to 0.5.0b3.dev97 and has been resolved in that release.
The core of the vulnerability lies in how pyLoad handles password verification for encrypted 7z archives. Specifically, when verifying a password, the software derives an archive entry name from the 7z listing output and treats it as a filesystem path without proper validation. An attacker can craft a malicious 7z archive with a specially crafted listing that includes path traversal sequences (e.g., ../..). When pyLoad attempts to extract this archive and verify the password, it will incorrectly interpret the crafted path, allowing the attacker to delete files outside of the intended extraction directory. This could lead to data loss, system instability, or even complete compromise of the system running pyLoad, depending on the permissions of the user running the application.
This vulnerability was publicly disclosed on 2026-03-20. Currently, there are no known active campaigns targeting this specific vulnerability. No public proof-of-concept exploits have been released, but the nature of path traversal vulnerabilities makes it likely that one will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Users who rely on pyLoad for downloading files and are running versions prior to 0.5.0b3.dev97 are at risk. This includes individuals and organizations using pyLoad in automated download scripts or as part of their workflow. Shared hosting environments where multiple users share the same pyLoad installation are particularly vulnerable, as a compromised archive could affect all users on the system.
• linux / server:
find / -type f -name '*.7z' -mtime +7 -print # Identify old 7z archives
journalctl -u pylload -f | grep -i "password verification" # Monitor password verification logs• python:
import os
import hashlib
# Check for unusual file paths during password verification
# (This requires code analysis of the pyLoad source code)• generic web: Inspect web server access logs for requests containing unusual file paths or attempts to access 7z archives from untrusted sources.
disclosure
Exploit-Status
EPSS
0.09% (25% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32808 is to immediately upgrade pyLoad to version 0.5.0b3.dev97 or later, which contains the fix. If upgrading is not immediately feasible, consider restricting the directories accessible to the pyLoad process to minimize the potential impact of a successful exploit. Implement strict file permissions to prevent unauthorized file deletion. Monitoring file system activity for unexpected deletions, particularly in sensitive directories, can also help detect potential exploitation attempts. After upgrading, confirm the fix by attempting to extract a test 7z archive with a known malicious path traversal entry and verifying that the extraction is properly constrained to the intended directory.
Actualice pyLoad a la versión 0.5.0b3.dev97 o posterior. Esta versión corrige la vulnerabilidad de path traversal que permite la eliminación arbitraria de archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32808 is a Path Traversal vulnerability in pyLoad, a Python download manager, allowing attackers to delete files outside the intended extraction directory by exploiting password verification of encrypted 7z archives.
You are affected if you are using pyLoad versions 0.4.9-6262-g2fa0b11d3 and below 0.5.0b3.dev97.
Upgrade pyLoad to version 0.5.0b3.dev97 or later to resolve the vulnerability. Consider temporary workarounds like restricting the extraction directory if immediate upgrade is not possible.
There is currently no evidence of active exploitation of CVE-2026-32808, but the vulnerability's nature suggests a potential for future exploitation.
Refer to the official pyLoad project repository or website for the latest security advisories and updates related to CVE-2026-32808.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.