PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data — CVE-2026-42315
GitHub · GitHub · CVE-2026-42315
ID
CVE-2026-42315
CVE-2026-42315
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.1
8.1
EPSS
0.00059
0.00059
Summary
### Summary No sanitization of package folder name allows writing files anywhere outside the intended download directory. #### Affected Component - `src/pyload/core/api/__init__.py` - Function: `set_package_data()` ### Details When passing a folder name in the `set_package_data()` API function call inside the data object with key `"_folder"`, there is no sanitization at all, allowing a user with `Perms.MODIFY` to…
Product
pip: pyload-ng
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.