Path Traversal Vulnerability in pyLoad Download Manager by pyLoad Team
CVE-2026-35592

5.3MEDIUM

Key Information:

Vendor: Pyload
Status: Pyload
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35592?

A path traversal vulnerability exists in the pyLoad download manager, specifically in the _safe_extractall() function of the UnTar.py module. This issue arises due to the function using os.path.commonprefix() for path checks instead of a more secure method, allowing carefully crafted tar files to extract contents outside the designated directories. Although a related fix was implemented in a previous patch, it was not correctly applied here, leaving this function exposed. The vulnerability is resolved in version 0.5.0b3.dev97.

Affected Version(s)

pyload < 0.5.0b3.dev97

References

https://github.com/pyload/pyload/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35592 Data

JSON

Pyload

What is CVE-2026-35592?

Affected Version(s)

References

CVSS V3.1

Timeline