CVE-2026-40491
MEDIUMgdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall
Title source: cnaDescription
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/wkentaro/gdown/security/advisories/GHSA-76hw-p97h-883f
X_Refsource_Misc x_refsource_misc
https://github.com/wkentaro/gdown/commit/af569fc6ed300b7974dee66dc51e9f01b57b4dff
X_Refsource_Misc x_refsource_misc
https://github.com/wkentaro/gdown/releases/tag/v5.2.2
Scores
CVSS v3
6.5
EPSS
0.0057
EPSS Percentile
42.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
pypi/gdown
0 - 5.2.2PyPI
wkentaro/gdown
< 5.2.2 (2 CPE variants)
Published
Apr 18, 2026
Tracked Since
Apr 18, 2026