{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32808", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.695Z", "datePublished": "2026-03-20T01:45:07.446Z", "dateUpdated": "2026-03-20T01:45:57.970Z"}, "containers": {"cna": {"title": "pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": ">= 0.4.9-6262-g2fa0b11d3, < 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:45:57.970Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97."}], "source": {"advisory": "GHSA-7g4m-8hx2-4qh3", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97."}], "id": "CVE-2026-32808", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:34.683", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.4.9-6262-g2fa0b11d3,0.5.0b3.dev97)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-03-20T03:21:26.499631+00:00", "value": {"mitigation_remediation": ["Upgrade pyLoad to version 0.5.0b3.dev97 or later to fix the path traversal vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file deletion via path traversal"}, "threat_synthesis": {"affected_systems": "pyLoad versions prior to 0.5.0b3.dev97 are affected, regardless of the platform. The issue exists in the pyload:pyload product line as described by the vendor.", "description_and_impact": "The vulnerability originates from path traversal during password verification of encrypted 7z archives with non\u2011encrypted headers. The extractor parses the archive listing, derives an entry name, and uses it directly as a filesystem path during password checks. This allows an attacker to supply a specially crafted archive that causes pyLoad to delete files located outside the intended extraction directory. The impact is arbitrary file deletion, potentially compromising system integrity and availability. The weakness corresponds to CWE\u201122 (Path Traversal).", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity vulnerability. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a malicious 7z archive to the password verification routine; no remote code execution or privilege escalation is guaranteed, but arbitrary deletion of files can be critical if performed with elevated permissions. The attack vector is inferred to be local or within the context of a user running pyLoad, as the vulnerability depends on file I/O during archive handling."}}}}, "created": "2026-03-20T08:53:12.544109+00:00", "updated": "2026-03-20T10:43:05.913252+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}