CVE-2026-42315
published 2026-05-11CVE-2026-42315: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function…
PriorityP342medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.40%
31.3th percentile
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | < 0.5.0b3.dev100 | 0.5.0b3.dev100 |
| pyload-ng_project | pyload-ng | >= 0 < 0.5.0b3.dev100 | 0.5.0b3.dev100 |
| pyload | pyload | < 0.5.0b3.dev100 | 0.5.0b3.dev100 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
pyLoad up to 0.5.0b3.dev98 set_package_data path traversal
vuldb·2026-05-11·CVSS 8.1
CVE-2026-42315 [HIGH] pyLoad up to 0.5.0b3.dev98 set_package_data path traversal
A vulnerability categorized as critical has been discovered in pyLoad. This affects the function set_package_data. Such manipulation leads to path traversal.
This vulnerability is listed as CVE-2026-42315. The attack may be performed from remote. There is no available exploit.
It is advisable to upgrade the affected component.
GHSA
PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data
ghsa·2026-05-05
CVE-2026-42315 [HIGH] CWE-22 PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data
PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data
### Summary
No sanitization of package folder name allows writing files anywhere outside the intended download directory.
#### Affected Component
- `src/pyload/core/api/__init__.py`
- Function: `set_package_data()`
### Details
When passing a folder name in the `set_package_data()` API function call inside the data object with key `"_folder"`, there is no sanitization at all, allowing a user with `Perms.MODIFY` to specify arbitrary directories as download locations for a package.
### PoC
1) Create a package, note response package ID e.g. `5`
```
curl -X 'POST' \
'http://localhost:8000/api/add_package' \
-H 'accept: application/json' \
-H 'X-API-Key: ' \
-H 'Content-Type: application/json' \
-d '{
"name": "se
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-11
Published