CVE-2026-29778 HIGH

CVE-2026-29778: pyLoad: Arbitrary File Write via Path Traversal in edit_package()

Vendor Pyload
Product pyload
Weakness CWE-23
Published March 7, 2026
Last update March 9, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.

Key dates

02Disclosure timeline

March 7, 2026 CVE published
March 9, 2026 Record updated