PT-2026-37264 · Pyload · Pyload

Sab44

Published

2026-05-05

Updated

2026-05-15

CVE-2026-42315

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev100

Description Lack of sanitization in the set package data() function allows a user with Perms.MODIFY permissions to specify arbitrary directories as download locations for a package. This occurs when passing a folder name within the data object using the folder variable, enabling absolute path traversal to write files anywhere the pyLoad process has write access.

Recommendations Update to version 0.5.0b3.dev100. As a temporary workaround, restrict access to the set package data() function or avoid using the folder variable until the update is applied.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-36CWE-22

Related Identifiers

CVE-2026-42315

GHSA-838G-GR43-QQG9

PYSEC-2026-129

Affected Products

Pyload

PT-2026-37264 · Pyload · Pyload

CVE-2026-42315

Weakness Enumeration

Related Identifiers

Affected Products

References · 9