Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
pyLoad Download Manager: Unvalidated Input Allows Path Traversal
GHSA-6px9-j4qr-xfjw
CVE-2026-29778
GHSA-6px9-j4qr-xfjw
Summary
A security issue affects pyLoad download manager versions 0.5.0b3.dev13 to 0.5.0b3.dev96. An attacker could potentially trick the program into accessing unauthorized files or directories. Update to version 0.5.0b3.dev97 to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | pyload-ng | > 0.5.0b3.dev13 , <= 0.5.0b3.dev96 | – |
| pyload-ng_project | pyload-ng | > 0.5.0b3.dev13 , <= 0.5.0b3.dev97 | – |
Original title
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folde...
Original description
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.
ghsa CVSS3.1
7.1
Vulnerability type
CWE-23
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026