CVE-2026-32808

pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pyload:pyload::::::::
	cpe:2.3:a:pyload-ng_project:pyload-ng::::::python::*

History

No history.

Information

Published : 2026-03-20 02:16

Updated : 2026-03-26 18:36

NVD link : CVE-2026-32808

Mitre link : CVE-2026-32808

CVE.ORG link : CVE-2026-32808

JSON object : View

Products Affected

pyload

pyload

pyload-ng_project

pyload-ng

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-32808", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T02:16:34.683", "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97."}, {"lang": "es", "value": "pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto escrito en Python. Las versiones anteriores a 0.5.0b3.dev97 son vulnerables a salto de ruta durante la verificaci\u00f3n de contrase\u00f1a de ciertos archivos 7z cifrados (archivos cifrados con encabezados no cifrados), causando la eliminaci\u00f3n arbitraria de archivos fuera del directorio de extracci\u00f3n. Durante la verificaci\u00f3n de contrase\u00f1a, pyLoad deriva un nombre de entrada de archivo de la salida de listado de 7z y lo trata como una ruta del sistema de archivos sin restringirlo al directorio de extracci\u00f3n. Este problema ha sido corregido en la versi\u00f3n 0.5.0b3.dev97."}], "lastModified": "2026-03-26T18:36:48.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DACFA9B5-22AD-4BC6-87D5-8272FF49BD56", "versionEndIncluding": "0.4.20"}, {"criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "FCF4830F-E848-4F80-AB82-2040E219E677", "versionEndExcluding": "0.5.0b3.dev97", "versionStartIncluding": "0.5.0a5.dev528"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}