{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/pyload-ng--0.5.0b3.dev99/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pyload-ng (\u003c= 0.5.0b3.dev99)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","web-application","pyload"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003ePyLoad, a free and open-source download manager, is vulnerable to a path traversal vulnerability within its \u003ccode\u003eset_package_data\u003c/code\u003e API function. Specifically, versions up to and including 0.5.0b3.dev99 fail to properly sanitize the package folder name. This lack of sanitization allows a user with \u003ccode\u003ePerms.MODIFY\u003c/code\u003e to specify arbitrary directories as download locations for a package. An attacker can leverage this flaw to write files outside the intended download directory, potentially leading to arbitrary code execution if the PyLoad process has sufficient privileges. The vulnerability was disclosed in GHSA-838g-gr43-qqg9 on May 5, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the PyLoad API, potentially through leaked credentials or other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/api/add_package\u003c/code\u003e endpoint to create a new package with a specified name and download link (e.g., \u003ccode\u003ehttp://example.com/file.txt\u003c/code\u003e). The response includes the assigned package ID.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/api/set_package_data\u003c/code\u003e endpoint, targeting the newly created package ID.\u003c/li\u003e\n\u003cli\u003eWithin the JSON payload for \u003ccode\u003eset_package_data\u003c/code\u003e, the attacker includes a \u003ccode\u003edata\u003c/code\u003e object with the key \u003ccode\u003e_folder\u003c/code\u003e set to an absolute path containing directory traversal sequences (e.g., \u003ccode\u003e/users/root/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe PyLoad application, lacking proper sanitization, accepts the attacker-controlled path as the download location.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a download associated with the package.\u003c/li\u003e\n\u003cli\u003ePyLoad attempts to write downloaded files to the attacker-specified path (e.g., \u003ccode\u003e/users/root/\u003c/code\u003e), potentially overwriting existing files or creating new ones.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary file write, leading to potential privilege escalation or code execution if writable locations like system configuration files are targeted.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to write files to arbitrary locations on the file system with the privileges of the PyLoad process. This could lead to privilege escalation, arbitrary code execution, or denial of service. Given that PyLoad is often deployed on personal servers or NAS devices, the impact could range from data theft to complete system compromise. Affected versions include all PyLoad versions up to and including 0.5.0b3.dev99.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PyLoad to a version beyond 0.5.0b3.dev99 that includes the patch for CVE-2026-42315.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PyLoad set_package_data Path Traversal\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for suspicious folder paths in \u003ccode\u003eset_package_data\u003c/code\u003e requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/set_package_data\u003c/code\u003e with suspicious \u003ccode\u003e_folder\u003c/code\u003e values containing absolute paths and directory traversal sequences.\u003c/li\u003e\n\u003cli\u003eReview and restrict API access to PyLoad to only trusted sources to mitigate the risk of unauthorized exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T12:00:00Z","date_published":"2026-05-06T12:00:00Z","id":"/briefs/2026-05-pyload-path-traversal/","summary":"PyLoad versions 0.5.0b3.dev99 and earlier are vulnerable to a path traversal vulnerability in the `set_package_data` function, allowing attackers to write files to arbitrary directories with the privileges of the PyLoad process.","title":"PyLoad Path Traversal Vulnerability in set_package_data","url":"https://feed.craftedsignal.io/briefs/2026-05-pyload-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Pyload-Ng (\u003c= 0.5.0b3.dev99)","version":"https://jsonfeed.org/version/1.1"}