Unrated severityNVD Advisory· Published Mar 20, 2026· Updated Mar 25, 2026

pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification

CVE-2026-32808

Description

pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.

Affected products

Pyload/Pyloadv5
Range: >= 0.4.9-6262-g2fa0b11d3, < 0.5.0b3.dev97

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000