CVE-2026-42315
pyload · pyload
pyLoad is vulnerable to path traversal, allowing authenticated users to read or write files outside of the intended directories.
Executive summary
An authenticated path traversal vulnerability in pyLoad versions prior to 0.5.0b3.dev100 permits unauthorized file system access and manipulation.
Vulnerability
This vulnerability involves Improper Limitation of a Pathname (CWE-22) and Absolute Path Traversal (CWE-36). Exploitation requires low-privileged authentication (PR:L) and allows an attacker to impact file integrity and system availability (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
Business impact
With a CVSS score of 8.1, this vulnerability presents a High risk to system integrity. An authenticated attacker can overwrite critical application files or system components, potentially leading to a denial of service or further escalation of privileges, which could disrupt business operations.
Remediation
Immediate Action: Upgrade to pyLoad version 0.5.0b3.dev100 or later to resolve the path traversal flaw.
Proactive Monitoring: Monitor application logs for unusual file write or access attempts that deviate from standard user behavior.
Compensating Controls: Restrict access to the pyLoad web interface via VPN or IP-based access control lists (ACLs) to ensure only authorized personnel can interact with the management console.
Exploitation status
Public Exploit Available: No (Exploit_available: unknown)
Analyst recommendation
Given the capability for file manipulation, this vulnerability should be patched promptly. Organizations should enforce strict access controls on the management interface while performing the necessary version upgrades to mitigate the risk of unauthorized system modification.