CVE-2026-40491
gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall
6.5
MEDIUM
CVSS 3.1
EPSS 0.08%
描述
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.
如何修補 CVE-2026-40491
要修補 CVE-2026-40491,請將受影響套件升級到下列已修補版本。
- —未列出修補版本
- —升級至 5.2.2 或更新版本
CVE-2026-40491 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0
- from 0, < 5.2.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |