Sab44

**Name of the Vulnerable Software and Affected Versions** pyLoad versions prior to 0.5.0b3.dev100 **Description** Lack of sanitization in the `set package data()` function allows a user with `Perms.MODIFY` permissions to specify arbitrary directories as download locations for a package. This occurs when passing a folder name within the data object using the ` folder` variable, enabling absolute path traversal to write files anywhere the pyLoad process has write access. **Recommendations** Update to version 0.5.0b3.dev100. As a temporary workaround, restrict access to the `set package data()` function or avoid using the ` folder` variable until the update is applied.