Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97.
AnalysisAI
Path traversal in pyLoad's tar extraction allows writing files outside the intended directory via specially crafted archives. The vulnerability stems from incomplete remediation of a prior path traversal fix (CVE-2026-32808), where the _safe_extractall() function continues to use the insecure os.path.commonprefix() instead of the correct os.path.commonpath(). Unauthenticated remote attackers can exploit this via a malicious tar file when a user extracts it, achieving arbitrary file write on the system. The vulnerability affects pyLoad versions prior to 0.5.0b3.dev97 and is fixed in that release.
Technical ContextAI
pyLoad is a Python-based download manager that includes tar archive extraction functionality. The vulnerability resides in src/pyload/plugins/extractors/UnTar.py's _safe_extractall() function, which attempts to prevent directory traversal attacks using path validation. However, os.path.commonprefix() performs character-level string comparison rather than true path-level analysis-for example, '/extracted/dir' and '/extracted/directory' share the character-level prefix '/extracted/dir', allowing traversal checks to be bypassed with specially crafted relative paths like '../../../'. The correct function os.path.commonpath() was introduced in commit 5f4f0fa to fix the related CVE-2026-32808, but this fix was never applied to _safe_extractall(), representing an incomplete vulnerability remediation. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a classic path traversal vulnerability.
RemediationAI
The primary fix is to upgrade pyLoad to version 0.5.0b3.dev97 or later, which corrects the _safe_extractall() function to use os.path.commonpath() instead of os.path.commonprefix(). Users unable to immediately upgrade should avoid extracting tar archives from untrusted sources until patching is possible. No workarounds that maintain full functionality are documented; the vulnerability is architectural to the extraction logic. Full details and security advisory information are available at https://github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19738
GHSA-mvwx-582f-56r7