Vulnerability Description
pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pyload | Pyload | <= 0.4.20 |
| Pyload-Ng Project | Pyload-Ng | >= 0.5.0a5.dev528, < 0.5.0b3.dev97 |
Related Weaknesses (CWE)
References
- https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-32808?
CVE-2026-32808 is a vulnerability with a CVSS score of 8.1 (HIGH). pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encry...
How severe is CVE-2026-32808?
CVE-2026-32808 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32808?
Check the references section above for vendor advisories and patch information. Affected products include: Pyload Pyload, Pyload-Ng Project Pyload-Ng.