CVE-2026-35592

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev97

Description pyLoad is a free and open-source download manager written in Python. The safe extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for path traversal checks, which performs character-level string comparison instead of path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The fix, os.path.commonpath(), was added to the codebase but was not applied to safe extractall(), resulting in an incomplete fix.

Recommendations Update to version 0.5.0b3.dev97 or later.