Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
gdown: Malicious files can overwrite any file on your system
CVE-2026-40491
Summary
If you use outdated versions of gdown to download files from Google Drive, an attacker could create a malicious archive that overwrites important files on your system. This could lead to data loss or even allow the attacker to take control of your system. Update to version 5.2.2 or later to fix this issue.
Original title
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted Z...
Original description
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.
nvd CVSS3.1
6.5
Vulnerability type
CWE-22
Path Traversal
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026