CVE-2026-40491

Name of the Vulnerable Software and Affected Versions gdown versions prior to 5.2.2

Description A Path Traversal issue exists within the extractall() function in the gdown/extractall.py file. The software fails to sanitize or validate the filenames of members within ZIP or TAR archives during extraction. This allows files to be written outside the intended destination directory, which can lead to arbitrary file overwrite and Remote Code Execution (RCE).

Recommendations Update to version 5.2.2. As a temporary workaround, restrict the use of the extractall() function when processing archives from untrusted sources.