PYSEC-2026-124

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-124.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-124

Aliases

CVE-2026-35592
GHSA-mvwx-582f-56r7

Published

2026-04-07T17:16:34.280Z

Modified

2026-05-20T09:19:15.840719Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the safeextractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to safeextractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97.

References

https://github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7

Affected packages

PyPI / pyload-ng

Package

Name: pyload-ng; View open source insights on deps.dev
Purl: pkg:pypi/pyload-ng

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.0b3.dev97

Affected versions

0.*

0.5.0a5.dev528

0.5.0a5.dev532

0.5.0a5.dev535

0.5.0a5.dev536

0.5.0a5.dev537

0.5.0a5.dev539

0.5.0a5.dev540

0.5.0a5.dev545

0.5.0a5.dev562

0.5.0a5.dev564

0.5.0a5.dev565

0.5.0a6.dev570

0.5.0a6.dev578

0.5.0a6.dev587

0.5.0a7.dev596

0.5.0a8.dev602

0.5.0a9.dev615

0.5.0a9.dev629

0.5.0a9.dev632

0.5.0a9.dev641

0.5.0a9.dev643

0.5.0a9.dev655

0.5.0a9.dev806

0.5.0b1.dev1

0.5.0b1.dev2

0.5.0b1.dev3

0.5.0b1.dev4

0.5.0b1.dev5

0.5.0b2.dev9

0.5.0b2.dev10

0.5.0b2.dev11

0.5.0b2.dev12

0.5.0b3.dev13

0.5.0b3.dev14

0.5.0b3.dev17

0.5.0b3.dev18

0.5.0b3.dev19

0.5.0b3.dev20

0.5.0b3.dev21

0.5.0b3.dev22

0.5.0b3.dev24

0.5.0b3.dev26

0.5.0b3.dev27

0.5.0b3.dev28

0.5.0b3.dev29

0.5.0b3.dev30

0.5.0b3.dev31

0.5.0b3.dev32

0.5.0b3.dev33

0.5.0b3.dev34

0.5.0b3.dev35

0.5.0b3.dev38

0.5.0b3.dev39

0.5.0b3.dev40

0.5.0b3.dev41

0.5.0b3.dev42

0.5.0b3.dev43

0.5.0b3.dev44

0.5.0b3.dev45

0.5.0b3.dev46

0.5.0b3.dev47

0.5.0b3.dev48

0.5.0b3.dev49

0.5.0b3.dev50

0.5.0b3.dev51

0.5.0b3.dev52

0.5.0b3.dev53

0.5.0b3.dev54

0.5.0b3.dev57

0.5.0b3.dev60

0.5.0b3.dev62

0.5.0b3.dev64

0.5.0b3.dev65

0.5.0b3.dev66

0.5.0b3.dev67

0.5.0b3.dev68

0.5.0b3.dev69

0.5.0b3.dev70

0.5.0b3.dev71

0.5.0b3.dev72

0.5.0b3.dev73

0.5.0b3.dev74

0.5.0b3.dev75

0.5.0b3.dev76

0.5.0b3.dev77

0.5.0b3.dev78

0.5.0b3.dev79

0.5.0b3.dev80

0.5.0b3.dev81

0.5.0b3.dev82

0.5.0b3.dev85

0.5.0b3.dev87

0.5.0b3.dev88

0.5.0b3.dev89

0.5.0b3.dev90

0.5.0b3.dev91

0.5.0b3.dev92

0.5.0b3.dev93

0.5.0b3.dev94

0.5.0b3.dev95

0.5.0b3.dev96

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-124.yaml"