{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29778", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T16:26:02.898Z", "datePublished": "2026-03-07T15:28:36.919Z", "dateUpdated": "2026-03-09T18:26:46.896Z"}, "containers": {"cna": {"title": "pyLoad: Arbitrary File Write via Path Traversal in edit_package()", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": ">= 0.5.0b3.dev13, < 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:28:36.919Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of \"../\", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97."}], "source": {"advisory": "GHSA-6px9-j4qr-xfjw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:52:31.612889Z", "id": "CVE-2026-29778", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:26:46.896Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29778", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T17:52:31.612889Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:52:32.765Z"}}], "cna": {"title": "pyLoad: Arbitrary File Write via Path Traversal in edit_package()", "source": {"advisory": "GHSA-6px9-j4qr-xfjw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"status": "affected", "version": ">= 0.5.0b3.dev13, < 0.5.0b3.dev97"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of \"../\", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T15:28:36.919Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29778", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:26:46.896Z", "dateReserved": "2026-03-04T16:26:02.898Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T15:28:36.919Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "matchCriteriaId": "530238B6-CD4D-4A83-B290-14E10FF47177", "versionEndExcluding": "0.5.0b3.dev97", "versionStartIncluding": "0.5.0b3.dev13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of \"../\", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97."}, {"lang": "es", "value": "pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto escrito en Python. Desde la versi\u00f3n 0.5.0b3.dev13 hasta la 0.5.0b3.dev96, la funci\u00f3n edit_package() implementa una sanitizaci\u00f3n insuficiente para el par\u00e1metro pack_folder. La protecci\u00f3n actual se basa en un reemplazo de cadena de una sola pasada de '../', que puede ser eludido utilizando secuencias de recorrido recursivo manipuladas. Este problema ha sido parcheado en la versi\u00f3n 0.5.0b3.dev97."}], "id": "CVE-2026-29778", "lastModified": "2026-03-11T22:09:15.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-07T16:15:54.800", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0.5.0b3.dev13,0.5.0b3.dev97)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-04-17T12:11:04.658065+00:00", "value": {"mitigation_remediation": ["Upgrade pyLoad to version 0.5.0b3.dev97 or newer to apply the official patch", "If immediate upgrade is not possible, restrict access to the edit_package feature to trusted users and disable or sandbox untrusted plugins", "As an additional defense, implement custom path sanitization that ensures pack_folder does not resolve outside the intended download directory"], "summary": {"action": "Patch Now", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "pyLoad, versions 0.5.0b3.dev13 through 0.5.0b3.dev96 inclusive. The issue is fixed in 0.5.0b3.dev97 and later revisions; earlier or lower-numbered releases are unaffected.", "description_and_impact": "The vulnerability stems from the edit_package() function in pyLoad, which inadequately sanitizes the pack_folder parameter, relying on a single-pass replacement of \"../\". Crafted recursive traversal sequences bypass this check, allowing the attacker to write to any path relative to the pyLoad installation. This path traversal flaw is classified as CWE-23 and can lead to arbitrary file overwrites, potentially replacing critical configuration files or injecting malicious scripts.", "risk_and_exploitability": "The CVSS score of 7.1 indicates moderate severity, while the EPSS score of <1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker would need local execution or control over pyLoad to trigger edit_package() with a crafted pack_folder value. The likely attack vector is a local user or a compromised local process. In environments where untrusted input can be supplied to pyLoad, or where multiple users share the same installation, the risk escalates, as unauthorized file writes could compromise user data or the pyLoad configuration."}}}}, "created": "2026-03-09T10:05:13.954250+00:00", "updated": "2026-04-17T12:15:18.169928+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}