CVE-2026-35592
Received Received - Intake
Path Traversal in pyLoad UnTar Extractor Allows Arbitrary Write

Publication date: 2026-04-07

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35592
EUVD
EUVD-2026-19738
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pyload-ng_project pyload-ng to 0.5.0b3.dev96 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to write files outside the intended extraction directory, potentially overwriting other users' files or planting malicious files that could lead to code execution.

Such arbitrary file write capabilities could lead to unauthorized modification of data, which may impact the integrity of sensitive information.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to alter files outside designated directories could result in breaches of data integrity and security controls required by these regulations.

Therefore, if pyLoad is used in environments subject to these regulations, this vulnerability could pose a risk to compliance by enabling unauthorized data manipulation or potential exposure.

Executive Summary

This vulnerability in pyLoad concerns an incomplete fix for a path traversal issue in the _safe_extractall() function within the UnTar.py module. The function attempts to prevent files from being extracted outside the intended directory by checking paths using os.path.commonprefix(), which compares strings at the character level rather than at the directory path level.

Because of this flawed check, a specially crafted tar archive can bypass the protection and write files outside the extraction directory. For example, a malicious archive member with a path like ../some_other_dir/file can be extracted outside the target folder, potentially overwriting files or planting malicious files.

The correct method, os.path.commonpath(), was introduced in a prior fix but was never applied to this function, leaving the vulnerability open until fixed in version 0.5.0b3.dev97.

Impact Analysis

This vulnerability allows an attacker to craft malicious tar archives that, when extracted by pyLoad, can write files outside the intended extraction directory.

  • Arbitrary file write outside the extraction directory.
  • Overwriting files belonging to other users.
  • Planting malicious files in sensitive locations, which could lead to code execution if combined with other attack vectors.

Exploitation requires the victim to download and extract a malicious tar archive using pyLoad with the ExtractArchive addon enabled.

Detection Guidance

This vulnerability can be detected by analyzing the extraction behavior of pyLoad when handling tar archives, specifically by checking if the _safe_extractall() function uses the insecure os.path.commonprefix() method for path traversal validation instead of the secure os.path.commonpath().

One practical approach is to create or obtain a specially crafted malicious tar archive that attempts to write files outside the intended extraction directory using paths like '../some_directory/evil_file'. Extracting this archive with the vulnerable pyLoad version and monitoring the extraction location can reveal if files are written outside the target directory.

Suggested commands to test detection on a system with pyLoad installed:

  • Create a malicious tar archive with a path traversal payload, e.g.:
  • tar -cf malicious.tar --transform 's|^|../evil_dir/|' somefile.txt
  • Use pyLoad to extract the malicious.tar archive and observe if files are created outside the intended extraction directory.
  • Alternatively, inspect the pyLoad source code or installed package files to check if _safe_extractall() still uses os.path.commonprefix() instead of os.path.commonpath() or the secure is_within_directory() function.
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade pyLoad to version 0.5.0b3.dev97 or later, where the _safe_extractall() function has been fixed to use the secure is_within_directory() function that relies on os.path.commonpath() for proper path traversal validation.

If upgrading is not immediately possible, apply the recommended code fix by replacing the vulnerable inline _is_within_directory() function in _safe_extractall() with the correct is_within_directory() function from pyload.core.utils.fs.

Additionally, avoid extracting tar archives from untrusted sources using pyLoad until the fix is applied, as exploitation requires user interaction to extract a malicious archive.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart