PYSEC-2026-2158

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/gdown/PYSEC-2026-2158.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2158
Aliases
Published
2026-04-18T03:16:13.157Z
Modified
2026-07-13T07:15:30.143176232Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.

References

Affected packages

PyPI / gdown

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.2.2

Affected versions

1.*
1.0.0
1.0.1
1.0.2
2.*
2.0.0
2.0.1
2.0.2
2.1.0
2.1.1
2.2.0
2.3.0
2.3.1
3.*
3.0.0
3.1.0
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3.0
3.3.1
3.3.2
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.5.0
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.7.0
3.7.1
3.7.3
3.7.4
3.8.0
3.8.1
3.8.2
3.8.3
3.9.0
3.9.1
3.10.0
3.10.1
3.10.2
3.10.3
3.11.0rc1
3.11.0
3.11.1
3.12.0
3.12.1
3.12.2
3.13.0
3.13.1
3.14.0
3.15.0
4.*
4.0.0
4.0.1
4.0.2
4.1.0
4.1.1
4.2.0
4.2.1
4.2.2
4.3.0
4.3.1
4.4.0
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.7.0
4.7.1
4.7.2
4.7.3
5.*
5.0.0rc1
5.0.0
5.0.1
5.1.0
5.2.0
5.2.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/gdown/PYSEC-2026-2158.yaml"