Platform
python
Component
pyload-ng
Fixed in
0.5.1
0.5.1
0.5.0b3.dev97
CVE-2026-29778 is a directory traversal vulnerability affecting pyLoad-ng, a Python-based download manager. This flaw allows attackers to bypass inadequate sanitization of the packfolder parameter within the editpackage() function, potentially leading to unauthorized file access. Versions of pyLoad-ng prior to 0.5.0b3.dev97 are vulnerable, and a patch has been released to address this issue.
The vulnerability lies in the editpackage() function's insufficient sanitization of the packfolder parameter. The current implementation attempts to prevent directory traversal using a single-pass string replacement of "../", but this is easily bypassed with crafted recursive traversal sequences. A successful exploit could allow an attacker to read sensitive files from the server's file system, potentially including configuration files, database credentials, or other confidential data. Depending on the server's configuration and the permissions of the pyLoad-ng process, the attacker might also be able to write files, leading to further compromise.
This vulnerability was publicly disclosed on 2026-03-05. There are currently no known public proof-of-concept exploits available. The vulnerability's CVSS score of 7.1 (HIGH) indicates a significant risk. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade pyLoad-ng to version 0.5.0b3.dev97 or later, which includes the necessary sanitization improvements. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious directory traversal patterns, such as multiple "../" sequences. Additionally, restrict the permissions of the pyLoad-ng process to the minimum required to operate, limiting the potential impact of a successful exploit. After upgrade, confirm by attempting to access a restricted file via the edit_package() function to ensure the sanitization is working as expected.
Update pyLoad to version 0.5.0b3.dev97 or higher. This version contains a fix for the path traversal vulnerability in the edit_package() function.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29778 is a directory traversal vulnerability in pyLoad-ng versions up to 0.5.0b3.dev96, allowing attackers to access arbitrary files by bypassing sanitization.
You are affected if you are using pyLoad-ng versions 0.5.0b3.dev13 through 0.5.0b3.dev96. Upgrade to 0.5.0b3.dev97 or later to mitigate the risk.
Upgrade pyLoad-ng to version 0.5.0b3.dev97 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the vulnerability's severity warrants prompt mitigation.
Refer to the pyLoad-ng project's official website or GitHub repository for the latest security advisories and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.