EUVD-2026-19738
GHSA-mvwx-582f-56r7
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Tags
Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97.
Analysis
Path traversal in pyLoad's tar extraction allows writing files outside the intended directory via specially crafted archives. The vulnerability stems from incomplete remediation of a prior path traversal fix (CVE-2026-32808), where the _safe_extractall() function continues to use the insecure os.path.commonprefix() instead of the correct os.path.commonpath(). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today