CVE-2026-42315 PUBLISHED

pyLoad: Path Traversal via Package Folder Name in set_package_data

Assigner: GitHub_M
Reserved: 26.04.2026 Published: 11.05.2026 Updated: 11.05.2026

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	pyload
Product	pyload
Versions	Version < 0.5.0b3.dev100 is affected

References

https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-36: Absolute Path Traversal CWE