CVE-2026-32808
Path Traversal in pyLoad 7z Extraction Causes Arbitrary File Deletion
Publication date: 2026-03-20
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload | pyload | to 0.4.20 (inc) |
| pyload-ng_project | pyload-ng | From 0.5.0a5.dev528 (inc) to 0.5.0b3.dev97 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if pyLoad versions prior to 0.5.0b3.dev97 are processing encrypted 7z archives with non-encrypted headers that contain path traversal entries.
Since the vulnerability triggers during password verification of such archives, monitoring pyLoad logs for unusual file deletion events outside the extraction directory can help detect exploitation attempts.
There are no specific commands provided to detect this vulnerability directly, but you can check the pyLoad version installed by running:
- pyload --version
Additionally, monitoring file system changes for unexpected deletions, especially of critical files like ~/.pyload/data/pyload.db, can indicate exploitation.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32808 is a high-severity vulnerability in pyLoad, a Python-based download manager, affecting versions before 0.5.0b3.dev97. The issue occurs during password verification of certain encrypted 7z archives that have non-encrypted headers. pyLoad derives archive entry names from the 7z listing output and treats them as filesystem paths without restricting them to the extraction directory.'}, {'type': 'paragraph', 'content': "Because these entry names can include path traversal sequences like '../', an attacker can craft an archive that causes pyLoad to delete arbitrary files outside the intended extraction directory during the verification step. This deletion happens even if the archive is not fully extracted."}, {'type': 'paragraph', 'content': 'The root cause is improper handling of file paths (CWE-22), where pyLoad fails to sanitize or constrain paths derived from attacker-controlled archive entries, leading to arbitrary file deletion.'}] [1]
How can this vulnerability impact me? :
This vulnerability can severely impact the integrity and availability of your system files accessible by pyLoad. An attacker who supplies a crafted encrypted 7z archive can cause pyLoad to delete arbitrary writable files outside the extraction directory.
A notable impact demonstrated is the deletion of the pyLoad database file (~/.pyload/data/pyload.db). When this file is deleted, pyLoad recreates it on restart with default credentials, potentially allowing an attacker to take over the user account if the WebUI is exposed to an attacker-accessible network.
Overall, this can lead to loss of important data, service disruption, and unauthorized access due to credential resets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade pyLoad to version 0.5.0b3.dev97 or later, where the vulnerability has been fixed.
If upgrading immediately is not possible, avoid processing encrypted 7z archives with non-encrypted headers from untrusted sources.
Implement safe-join checks in any custom extraction or verification code to reject absolute paths and paths escaping the extraction directory.
Perform password verification and extraction in a dedicated temporary directory isolated from user storage paths to prevent arbitrary file deletion.
Monitor for unexpected file deletions, especially of pyLoad database files, and restrict access to the pyLoad process to minimize potential damage.