Platform
python
Component
pyload
Fixed in
0.4.10
CVE-2026-32808 is a Path Traversal vulnerability discovered in pyLoad, a free and open-source download manager written in Python. This flaw allows attackers to delete arbitrary files outside the intended extraction directory by manipulating the password verification process of encrypted 7z archives. The vulnerability affects versions prior to 0.5.0b3.dev97 and has been resolved in that release.
The core of this vulnerability lies in how pyLoad handles password verification for encrypted 7z archives. Specifically, the application derives an archive entry name from the 7z listing output and treats it as a filesystem path without proper validation. An attacker can craft a malicious 7z archive with a specially crafted listing that includes path traversal sequences (e.g., ../../../../etc/passwd). When pyLoad attempts to verify the password, it will incorrectly interpret this crafted path, allowing the attacker to delete files outside the intended extraction directory. The potential impact is significant, ranging from data loss to system compromise, depending on the privileges of the user running pyLoad. This could lead to unauthorized access to sensitive data or even complete system takeover.
CVE-2026-32808 was publicly disclosed on 2026-03-20. There is currently no indication that this vulnerability is being actively exploited in the wild. The EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been released at the time of this writing, but the vulnerability's nature makes it relatively straightforward to exploit, increasing the likelihood of future PoCs.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32808 is to upgrade pyLoad to version 0.5.0b3.dev97 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. One potential workaround is to restrict the extraction directory to a tightly controlled location with limited access. Additionally, carefully scrutinize any 7z archives received from untrusted sources before attempting to extract them. While a WAF or proxy is unlikely to directly address this vulnerability, implementing stricter file upload policies and input validation can help prevent malicious 7z archives from reaching the system. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring file deletion events outside of expected directories is recommended.
Update pyLoad to version 0.5.0b3.dev97 or later. This version fixes the path traversal vulnerability that allows for arbitrary file deletion.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32808 is a Path Traversal vulnerability in pyLoad, a Python download manager, allowing attackers to delete files outside the intended extraction directory by exploiting password verification of encrypted 7z archives.
You are affected if you are using pyLoad versions 0.4.9-6262-g2fa0b11d3 and below 0.5.0b3.dev97.
Upgrade pyLoad to version 0.5.0b3.dev97 or later to resolve the vulnerability. Consider temporary workarounds like restricting the extraction directory if immediate upgrade is not possible.
There is currently no evidence of active exploitation of CVE-2026-32808, but the vulnerability's nature suggests a potential for future exploitation.
Refer to the official pyLoad project repository or website for the latest security advisories and updates related to CVE-2026-32808.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.