CVE-2026-32808

HIGH EPSS 24.5%

Published Mar 20, 20263mo ago · Modified Jun 17, 20261w ago

8.1 CVSS 3.1

High

Published Mar 20, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.

CVSS Details

Base Score

8.1

Exploitability

2.8

Impact

5.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Unchanged

Confidentiality None

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

24.5% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 2

Vendor	Product	Version	Range
pyload	pyload	*	≤0.4.20
pyload-ng_project	pyload-ng	*	≥0.5.0a5.dev528 – <0.5.0b3.dev97

References 1

github.com https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3

ExploitMitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.