{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32808", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.695Z", "datePublished": "2026-03-20T01:45:07.446Z", "dateUpdated": "2026-03-25T14:29:07.756Z"}, "containers": {"cna": {"title": "pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": ">= 0.4.9-6262-g2fa0b11d3, < 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:45:57.970Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97."}], "source": {"advisory": "GHSA-7g4m-8hx2-4qh3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:28:11.035693Z", "id": "CVE-2026-32808", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:29:07.756Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32808", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:28:11.035693Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:28:44.482Z"}}], "cna": {"title": "pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification", "source": {"advisory": "GHSA-7g4m-8hx2-4qh3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"status": "affected", "version": ">= 0.4.9-6262-g2fa0b11d3, < 0.5.0b3.dev97"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:45:57.970Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32808", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:29:07.756Z", "dateReserved": "2026-03-16T17:35:36.695Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T01:45:07.446Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "matchCriteriaId": "DACFA9B5-22AD-4BC6-87D5-8272FF49BD56", "versionEndIncluding": "0.4.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "matchCriteriaId": "FCF4830F-E848-4F80-AB82-2040E219E677", "versionEndExcluding": "0.5.0b3.dev97", "versionStartIncluding": "0.5.0a5.dev528", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97."}, {"lang": "es", "value": "pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto escrito en Python. Las versiones anteriores a 0.5.0b3.dev97 son vulnerables a salto de ruta durante la verificaci\u00f3n de contrase\u00f1a de ciertos archivos 7z cifrados (archivos cifrados con encabezados no cifrados), causando la eliminaci\u00f3n arbitraria de archivos fuera del directorio de extracci\u00f3n. Durante la verificaci\u00f3n de contrase\u00f1a, pyLoad deriva un nombre de entrada de archivo de la salida de listado de 7z y lo trata como una ruta del sistema de archivos sin restringirlo al directorio de extracci\u00f3n. Este problema ha sido corregido en la versi\u00f3n 0.5.0b3.dev97."}], "id": "CVE-2026-32808", "lastModified": "2026-03-26T18:36:48.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:34.683", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.4.9-6262-g2fa0b11d3,0.5.0b3.dev97)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-03-20T03:21:26.499631+00:00", "value": {"mitigation_remediation": ["Upgrade pyLoad to version 0.5.0b3.dev97 or later to fix the path traversal vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file deletion via path traversal"}, "threat_synthesis": {"affected_systems": "pyLoad versions prior to 0.5.0b3.dev97 are affected, regardless of the platform. The issue exists in the pyload:pyload product line as described by the vendor.", "description_and_impact": "The vulnerability originates from path traversal during password verification of encrypted 7z archives with non\u2011encrypted headers. The extractor parses the archive listing, derives an entry name, and uses it directly as a filesystem path during password checks. This allows an attacker to supply a specially crafted archive that causes pyLoad to delete files located outside the intended extraction directory. The impact is arbitrary file deletion, potentially compromising system integrity and availability. The weakness corresponds to CWE\u201122 (Path Traversal).", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity vulnerability. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a malicious 7z archive to the password verification routine; no remote code execution or privilege escalation is guaranteed, but arbitrary deletion of files can be critical if performed with elevated permissions. The attack vector is inferred to be local or within the context of a user running pyLoad, as the vulnerability depends on file I/O during archive handling."}}}}, "created": "2026-03-20T08:53:12.544109+00:00", "updated": "2026-03-20T10:43:05.913252+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}