CVE-2026-42314
Path Traversal Vulnerability in pyLoad Prior to 0.5.0b3.dev100
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload | pyload | to 0.5.0b3.dev100 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42314 is a path traversal vulnerability in pyload-ng versions 0.5.0b3.dev79 and earlier. It occurs because the sanitization of package folder names is insufficient. Specifically, the sanitization replaces the pattern '../' with '_', but this can be bypassed using patterns like '....//', which after replacement becomes '.._', still containing the '..' sequence. This allows the operating system to resolve the path outside the intended directory.
Authenticated users with ADD permissions can exploit this vulnerability to write files outside the designated download directory, potentially overwriting system files or placing files in unintended locations.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated user with ADD permissions to write files outside the intended download directory. This can lead to overwriting important system files or cluttering directories with malicious or unwanted files.
The integrity of the system is at risk because unauthorized file writes can modify or replace critical files, potentially leading to further exploitation or system instability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of pyload-ng versions 0.5.0b3.dev79 or earlier, as these versions contain the insufficient sanitization issue in package folder names.
To detect exploitation attempts, you can look for package folder names containing suspicious patterns like '....//' or folder names that, after sanitization, still contain '..' sequences indicating possible path traversal.
Commands to help detect such attempts might include searching the pyload download directories or logs for folder names with '..' sequences or unusual patterns.
- Find suspicious folder names in the download directory: `find /path/to/pyload/downloads -name '*..*'`
- Check pyload logs for package creation or addition events with suspicious folder names containing '..' or '....//'.
- Verify the installed pyload version: `pyload --version` or check the package metadata to ensure it is at least 0.5.0b3.dev100.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade pyload-ng to version 0.5.0b3.dev100 or later, where the vulnerability has been fixed.
Additionally, restrict ADD permissions to trusted users only, as exploitation requires authenticated users with these permissions.
Monitor and audit package folder names for suspicious patterns that could indicate exploitation attempts.
Consider implementing additional input validation or sanitization on package folder names if upgrading is not immediately possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users with ADD permissions to write files outside the intended download directory by exploiting insufficient sanitization of folder names. This can lead to unauthorized modification of system files or placing malicious files in arbitrary locations.
While the vulnerability does not impact confidentiality directly, it has a high integrity impact, meaning that data or system integrity can be compromised. Such integrity violations can affect compliance with standards like GDPR or HIPAA, which require protection against unauthorized data alteration and maintaining system integrity.
Therefore, exploitation of this vulnerability could lead to non-compliance with regulations that mandate strict controls over data integrity and system security.