PYSEC-2026-128

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-128.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-128

Aliases

CVE-2026-42314
GHSA-97r3-5w84-r4q8

Published

2026-05-11T18:16:35.123Z

Modified

2026-05-20T09:19:16.067671Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100.

References

https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8

Affected packages

PyPI / pyload-ng

Package

Name: pyload-ng; View open source insights on deps.dev
Purl: pkg:pypi/pyload-ng

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.0b3.dev100

Affected versions

0.*

0.5.0a5.dev528

0.5.0a5.dev532

0.5.0a5.dev535

0.5.0a5.dev536

0.5.0a5.dev537

0.5.0a5.dev539

0.5.0a5.dev540

0.5.0a5.dev545

0.5.0a5.dev562

0.5.0a5.dev564

0.5.0a5.dev565

0.5.0a6.dev570

0.5.0a6.dev578

0.5.0a6.dev587

0.5.0a7.dev596

0.5.0a8.dev602

0.5.0a9.dev615

0.5.0a9.dev629

0.5.0a9.dev632

0.5.0a9.dev641

0.5.0a9.dev643

0.5.0a9.dev655

0.5.0a9.dev806

0.5.0b1.dev1

0.5.0b1.dev2

0.5.0b1.dev3

0.5.0b1.dev4

0.5.0b1.dev5

0.5.0b2.dev9

0.5.0b2.dev10

0.5.0b2.dev11

0.5.0b2.dev12

0.5.0b3.dev13

0.5.0b3.dev14

0.5.0b3.dev17

0.5.0b3.dev18

0.5.0b3.dev19

0.5.0b3.dev20

0.5.0b3.dev21

0.5.0b3.dev22

0.5.0b3.dev24

0.5.0b3.dev26

0.5.0b3.dev27

0.5.0b3.dev28

0.5.0b3.dev29

0.5.0b3.dev30

0.5.0b3.dev31

0.5.0b3.dev32

0.5.0b3.dev33

0.5.0b3.dev34

0.5.0b3.dev35

0.5.0b3.dev38

0.5.0b3.dev39

0.5.0b3.dev40

0.5.0b3.dev41

0.5.0b3.dev42

0.5.0b3.dev43

0.5.0b3.dev44

0.5.0b3.dev45

0.5.0b3.dev46

0.5.0b3.dev47

0.5.0b3.dev48

0.5.0b3.dev49

0.5.0b3.dev50

0.5.0b3.dev51

0.5.0b3.dev52

0.5.0b3.dev53

0.5.0b3.dev54

0.5.0b3.dev57

0.5.0b3.dev60

0.5.0b3.dev62

0.5.0b3.dev64

0.5.0b3.dev65

0.5.0b3.dev66

0.5.0b3.dev67

0.5.0b3.dev68

0.5.0b3.dev69

0.5.0b3.dev70

0.5.0b3.dev71

0.5.0b3.dev72

0.5.0b3.dev73

0.5.0b3.dev74

0.5.0b3.dev75

0.5.0b3.dev76

0.5.0b3.dev77

0.5.0b3.dev78

0.5.0b3.dev79

0.5.0b3.dev80

0.5.0b3.dev81

0.5.0b3.dev82

0.5.0b3.dev85

0.5.0b3.dev87

0.5.0b3.dev88

0.5.0b3.dev89

0.5.0b3.dev90

0.5.0b3.dev91

0.5.0b3.dev92

0.5.0b3.dev93

0.5.0b3.dev94

0.5.0b3.dev95

0.5.0b3.dev96

0.5.0b3.dev97

0.5.0b3.dev98

0.5.0b3.dev99

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-128.yaml"