CVE-2026-32808
Received Received - Intake
Path Traversal in pyLoad 7z Extraction Causes Arbitrary File Deletion

Publication date: 2026-03-20

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32808
EUVD
EUVD-2026-13435
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pyload pyload to 0.4.20 (inc)
pyload-ng_project pyload-ng From 0.5.0a5.dev528 (inc) to 0.5.0b3.dev97 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves identifying if pyLoad versions prior to 0.5.0b3.dev97 are processing encrypted 7z archives with non-encrypted headers that contain path traversal entries.

Since the vulnerability triggers during password verification of such archives, monitoring pyLoad logs for unusual file deletion events outside the extraction directory can help detect exploitation attempts.

There are no specific commands provided to detect this vulnerability directly, but you can check the pyLoad version installed by running:

  • pyload --version

Additionally, monitoring file system changes for unexpected deletions, especially of critical files like ~/.pyload/data/pyload.db, can indicate exploitation.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32808 is a high-severity vulnerability in pyLoad, a Python-based download manager, affecting versions before 0.5.0b3.dev97. The issue occurs during password verification of certain encrypted 7z archives that have non-encrypted headers. pyLoad derives archive entry names from the 7z listing output and treats them as filesystem paths without restricting them to the extraction directory.'}, {'type': 'paragraph', 'content': "Because these entry names can include path traversal sequences like '../', an attacker can craft an archive that causes pyLoad to delete arbitrary files outside the intended extraction directory during the verification step. This deletion happens even if the archive is not fully extracted."}, {'type': 'paragraph', 'content': 'The root cause is improper handling of file paths (CWE-22), where pyLoad fails to sanitize or constrain paths derived from attacker-controlled archive entries, leading to arbitrary file deletion.'}] [1]

Impact Analysis

This vulnerability can severely impact the integrity and availability of your system files accessible by pyLoad. An attacker who supplies a crafted encrypted 7z archive can cause pyLoad to delete arbitrary writable files outside the extraction directory.

A notable impact demonstrated is the deletion of the pyLoad database file (~/.pyload/data/pyload.db). When this file is deleted, pyLoad recreates it on restart with default credentials, potentially allowing an attacker to take over the user account if the WebUI is exposed to an attacker-accessible network.

Overall, this can lead to loss of important data, service disruption, and unauthorized access due to credential resets.

Compliance Impact

I don't know

Mitigation Strategies

The primary mitigation is to upgrade pyLoad to version 0.5.0b3.dev97 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, avoid processing encrypted 7z archives with non-encrypted headers from untrusted sources.

Implement safe-join checks in any custom extraction or verification code to reject absolute paths and paths escaping the extraction directory.

Perform password verification and extraction in a dedicated temporary directory isolated from user storage paths to prevent arbitrary file deletion.

Monitor for unexpected file deletions, especially of pyLoad database files, and restrict access to the pyLoad process to minimize potential damage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32808. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart