CVE-2026-29778
HIGH
GHSA-6px9-j4qr-xfjw
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
3Description
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.
Analysis
Path traversal in pyLoad versions 0.5.0b3.dev13 through 0.5.0b3.dev96 allows authenticated attackers to manipulate package folder locations through insufficient sanitization of the pack_folder parameter, bypassing directory traversal protections with recursive sequences. An attacker can exploit this to write files outside intended directories, causing data integrity issues and potential denial of service. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running pyLoad and document affected versions; isolate or disable pyLoad instances in production if business-critical. Within 7 days: Implement network segmentation to restrict pyLoad access and disable the edit_package() function if possible; monitor for suspicious folder manipulation activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today