CVE-2026-32808
published 2026-03-20CVE-2026-32808: pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password…
PriorityP348high8.1CVSS 3.1
AVNACLPRNUIRSUCNIHAH
EPSS
0.33%
24.4th percentile
pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | <= 0.5.0b3.dev96 | — |
| pyload-ng_project | pyload-ng | >= 0.5.0a5.dev528 < 0.5.0b3.dev97 | 0.5.0b3.dev97 |
| pyload | pyload | < 0.5.0b3.dev97 | 0.5.0b3.dev97 |
| pyload | pyload | <= 0.4.20 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
2026-03-20
Published