CVE-2026-32808

HIGH

pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification

Title source: cna

Description

pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3

Scores

CVSS v3 8.1

EPSS 0.0018

EPSS Percentile 39.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

pyload/pyload < 0.4.20

pyload/pyload >= 0.4.9-6262-g2fa0b11d3, < 0.5.0b3.dev97

pyload-ng_project/pyload-ng 0.5.0a5.dev528 - 0.5.0b3.dev97

Published Mar 20, 2026

Tracked Since Mar 20, 2026