CVE-2026-42315

pyload · pyload

pyLoad is vulnerable to path traversal, allowing authenticated users to read or write files outside of the intended directories.

Executive summary

An authenticated path traversal vulnerability in pyLoad versions prior to 0.5.0b3.dev100 permits unauthorized file system access and manipulation.

Vulnerability

This vulnerability involves Improper Limitation of a Pathname (CWE-22) and Absolute Path Traversal (CWE-36). Exploitation requires low-privileged authentication (PR:L) and allows an attacker to impact file integrity and system availability (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

Business impact

With a CVSS score of 8.1, this vulnerability presents a High risk to system integrity. An authenticated attacker can overwrite critical application files or system components, potentially leading to a denial of service or further escalation of privileges, which could disrupt business operations.

Remediation

Immediate Action: Upgrade to pyLoad version 0.5.0b3.dev100 or later to resolve the path traversal flaw.

Proactive Monitoring: Monitor application logs for unusual file write or access attempts that deviate from standard user behavior.

Compensating Controls: Restrict access to the pyLoad web interface via VPN or IP-based access control lists (ACLs) to ensure only authorized personnel can interact with the management console.

Exploitation status

Public Exploit Available: No (Exploit_available: unknown)

Analyst recommendation

Given the capability for file manipulation, this vulnerability should be patched promptly. Organizations should enforce strict access controls on the management interface while performing the necessary version upgrades to mitigate the risk of unauthorized system modification.