CVE-2025-54140

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev90

Description pyLoad contains an authenticated path traversal vulnerability in the /json/upload endpoint. By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory and write arbitrary files to any location on the system accessible to the pyLoad process. This could lead to Remote Code Execution (RCE), local privilege escalation, system-wide compromise, and persistence. The vulnerable code resides in src/pyload/webui/app/blueprints/json blueprint.py and lacks sanitization or validation of the file.filename variable, allowing traversal via ../../ sequences.

Recommendations pyLoad versions prior to 0.5.0b3.dev90 should be updated to version 0.5.0b3.dev90 or later.