{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35592", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.161Z", "datePublished": "2026-04-07T16:11:38.209Z", "dateUpdated": "2026-04-08T14:58:21.343Z"}, "containers": {"cna": {"title": "pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": "< 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:11:38.209Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97."}], "source": {"advisory": "GHSA-mvwx-582f-56r7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:58:13.383665Z", "id": "CVE-2026-35592", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:58:21.343Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35592", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:58:13.383665Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:58:18.442Z"}}], "cna": {"title": "pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass", "source": {"advisory": "GHSA-mvwx-582f-56r7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"status": "affected", "version": "< 0.5.0b3.dev97"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:11:38.209Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35592", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:58:21.343Z", "dateReserved": "2026-04-03T21:25:12.161Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T16:11:38.209Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "matchCriteriaId": "0F5DE8DC-98B9-4A24-89F9-C2FEFD254815", "versionEndIncluding": "0.5.0b3.dev96", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97."}], "id": "CVE-2026-35592", "lastModified": "2026-04-16T21:11:52.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-07T17:16:34.280", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.5.0b3.dev97)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-04-07T23:21:39.328333+00:00", "value": {"mitigation_remediation": ["Upgrade pyLoad to version 0.5.0b3.dev97 or later", "Verify the integrity of the installed pyLoad version using the release notes or commit history", "Monitor for any anomalous file creation in extraction directories", "Consider restricting file extraction permissions to a non\u2011privileged user to limit potential damage"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Write via Path Traversal"}, "threat_synthesis": {"affected_systems": "Any installation of pyLoad before version 0.5.0b3.dev97 is affected. The product is the open\u2011source download manager pyLoad, maintained by the pyload community. Users running older revisions that still use the _safe_extractall() routine with os.path.commonprefix() are vulnerable. Upgrading to 0.5.0b3.dev97 or later resolves the issue.", "description_and_impact": "The vulnerability resides in pyLoad\u2019s _safe_extractall() function, which verifies extraction paths using a character\u2011level comparison. This allows a specially crafted tar archive to create files outside the intended directory, compromising file integrity and potentially overwriting critical system files. The weakness is a typical path\u2011traversal flaw that can lead to arbitrary file write, with the extent of damage depending on the directory the application runs in. The identified weakness maps to CWE\u201122, indicating a security issue where untrusted input influences a path computation that is not adequately validated.", "risk_and_exploitability": "The CVSS score of 5.3 signifies a moderate severity, meaning the vulnerability can be exploited in a non\u2011interactive or low\u2011privilege scenario. EPSS data is unavailable, so the exact likelihood of exploitation cannot be quantified, but the flaw is not listed in the CISA KEV catalog, suggesting no known exploitation at the time. The attack vector is inferred to be local file system traversal: an attacker can supply a malicious tar file to pyLoad, resulting in files being written outside the designated extraction directory. If pyLoad runs with elevated privileges or writes to sensitive locations, the potential impact could be high. Nonetheless, without confirmed exploitation, the risk remains moderate pending further monitoring."}}}}, "created": "2026-04-08T19:36:56.760774+00:00", "updated": "2026-04-08T19:48:01.061994+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}