CVE-2026-32808 — Path Traversal in Pyload

CWE-22 — Path Traversal5 documents3 sources

Severity

8.1HIGHNVD

NVD5.3

EPSS

0.1%

top 74.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyload Pyload-ng Project Pyload-ng

Timeline

PublishedMar 20

Latest updateApr 7

Description

pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue ha…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶CVEListV5pyload/pyload< 0.5.0b3.dev97+1

▶NVDpyload-ng_project/pyload-ng0.5.0a5.dev528 — 0.5.0b3.dev97

▶NVDpyload/pyload0.4.20

🔴Vulnerability Details

CVEList

pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass↗2026-04-07

▶

CVEList

pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification↗2026-03-20

▶

🕵️Threat Intelligence

Wiz

CVE-2026-35592 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶