Description
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw
Scores
CVSS v3
7.1
EPSS
0.0052
EPSS Percentile
39.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-23
Status
published
Products (2)
pyload-ng_project/pyload-ng
0.5.0b3.dev13 - 0.5.0b3.dev97
pypi/pyload-ng
0.5.0b3.dev13 - 0.5.0b3.dev97PyPI
Published
Mar 07, 2026
Tracked Since
Mar 07, 2026