PYSEC-2026-129

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-129.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-129

Aliases

CVE-2026-42315
GHSA-838g-gr43-qqg9

Published

2026-05-11T18:16:35.260Z

Modified

2026-05-20T09:19:16.123820Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the setpackagedata() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.

References

https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9

Affected packages

PyPI / pyload-ng

Package

Name: pyload-ng; View open source insights on deps.dev
Purl: pkg:pypi/pyload-ng

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.0b3.dev100

Affected versions

0.*

0.5.0a5.dev528

0.5.0a5.dev532

0.5.0a5.dev535

0.5.0a5.dev536

0.5.0a5.dev537

0.5.0a5.dev539

0.5.0a5.dev540

0.5.0a5.dev545

0.5.0a5.dev562

0.5.0a5.dev564

0.5.0a5.dev565

0.5.0a6.dev570

0.5.0a6.dev578

0.5.0a6.dev587

0.5.0a7.dev596

0.5.0a8.dev602

0.5.0a9.dev615

0.5.0a9.dev629

0.5.0a9.dev632

0.5.0a9.dev641

0.5.0a9.dev643

0.5.0a9.dev655

0.5.0a9.dev806

0.5.0b1.dev1

0.5.0b1.dev2

0.5.0b1.dev3

0.5.0b1.dev4

0.5.0b1.dev5

0.5.0b2.dev9

0.5.0b2.dev10

0.5.0b2.dev11

0.5.0b2.dev12

0.5.0b3.dev13

0.5.0b3.dev14

0.5.0b3.dev17

0.5.0b3.dev18

0.5.0b3.dev19

0.5.0b3.dev20

0.5.0b3.dev21

0.5.0b3.dev22

0.5.0b3.dev24

0.5.0b3.dev26

0.5.0b3.dev27

0.5.0b3.dev28

0.5.0b3.dev29

0.5.0b3.dev30

0.5.0b3.dev31

0.5.0b3.dev32

0.5.0b3.dev33

0.5.0b3.dev34

0.5.0b3.dev35

0.5.0b3.dev38

0.5.0b3.dev39

0.5.0b3.dev40

0.5.0b3.dev41

0.5.0b3.dev42

0.5.0b3.dev43

0.5.0b3.dev44

0.5.0b3.dev45

0.5.0b3.dev46

0.5.0b3.dev47

0.5.0b3.dev48

0.5.0b3.dev49

0.5.0b3.dev50

0.5.0b3.dev51

0.5.0b3.dev52

0.5.0b3.dev53

0.5.0b3.dev54

0.5.0b3.dev57

0.5.0b3.dev60

0.5.0b3.dev62

0.5.0b3.dev64

0.5.0b3.dev65

0.5.0b3.dev66

0.5.0b3.dev67

0.5.0b3.dev68

0.5.0b3.dev69

0.5.0b3.dev70

0.5.0b3.dev71

0.5.0b3.dev72

0.5.0b3.dev73

0.5.0b3.dev74

0.5.0b3.dev75

0.5.0b3.dev76

0.5.0b3.dev77

0.5.0b3.dev78

0.5.0b3.dev79

0.5.0b3.dev80

0.5.0b3.dev81

0.5.0b3.dev82

0.5.0b3.dev85

0.5.0b3.dev87

0.5.0b3.dev88

0.5.0b3.dev89

0.5.0b3.dev90

0.5.0b3.dev91

0.5.0b3.dev92

0.5.0b3.dev93

0.5.0b3.dev94

0.5.0b3.dev95

0.5.0b3.dev96

0.5.0b3.dev97

0.5.0b3.dev98

0.5.0b3.dev99

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-129.yaml"