CVE-2026-29778
HIGH7.1EPSS 0.02%pyLoad has an Arbitrary File Write via Path Traversal in edit_package()
發布日:2026/3/5修改日:2026/5/20
描述
The edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. Exploitation An authenticated user with MODIFY permission can bypass the sanitization by submitting a payload such as: `pack_folder=..././..././..././tmp` After the single-pass replacement, this becomes: `../../../tmp` Because the traversal sequences are not properly validated, the resulting normalized path escapes the intended storage directory and writes files to /tmp or other locations.
受影響套件(2)
- PyPI/pyload-ng>= 0.5.0b3.dev13, <= 0.5.0b3.dev96
- PyPI/pyload-ng>= 0.5.0b3.dev13, < 0.5.0b3.dev97
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L |