CVE-2026-32808 HIGH

CVE-2026-32808: pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification

Vendor Pyload
Product pyload
Weakness CWE-22 · Path traversal
Published March 20, 2026
Last update March 25, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
March 25, 2026 Record updated