pyLoad: एन्क्रिप्टेड 7z पासवर्ड सत्यापन के दौरान पथ पारगमन (Path Traversal) के माध्यम से मनमाना फ़ाइल विलोपन

The core of this vulnerability lies in how pyLoad handles password verification for encrypted 7z archives. Specifically, the application derives an archive entry name from the 7z listing output and treats it as a filesystem path without proper validation. An attacker can craft a malicious 7z archive with a specially crafted listing that includes path traversal sequences (e.g., ../../../../etc/passwd). When pyLoad attempts to verify the password, it will incorrectly interpret this crafted path, allowing the attacker to delete files outside the intended extraction directory. The potential impact is significant, ranging from data loss to system compromise, depending on the privileges of the user running pyLoad. This could lead to unauthorized access to sensitive data or even complete system takeover.

Users who rely on pyLoad for downloading files and are running versions prior to 0.5.0b3.dev97 are at risk. This includes individuals and organizations using pyLoad in automated download scripts or as part of their workflow. Shared hosting environments where multiple users share the same pyLoad installation are particularly vulnerable, as a compromised archive could affect all users on the system.

• linux / server:

find / -type f -name '*.7z' -mtime +7 -print # Identify old 7z archives
journalctl -u pylload -f | grep -i "password verification" # Monitor password verification logs

• python:

import os
import hashlib
# Check for unusual file paths during password verification
# (This requires code analysis of the pyLoad source code)

• generic web: Inspect web server access logs for requests containing unusual file paths or attempts to access 7z archives from untrusted sources.

1. 2026-03-20Disclosure

   disclosure

1. आरक्षित2026-03-16
2. प्रकाशित2026-03-20
3. संशोधित2026-03-25
4. EPSS अद्यतन2026-03-27

The primary mitigation for CVE-2026-32808 is to upgrade pyLoad to version 0.5.0b3.dev97 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. One potential workaround is to restrict the extraction directory to a tightly controlled location with limited access. Additionally, carefully scrutinize any 7z archives received from untrusted sources before attempting to extract them. While a WAF or proxy is unlikely to directly address this vulnerability, implementing stricter file upload policies and input validation can help prevent malicious 7z archives from reaching the system. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring file deletion events outside of expected directories is recommended.