CVE-2026-35592— pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-35592
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
pyLoad 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
pyLoad是pyLoad开源的一个用 Python 编写的免费开源下载管理器。 pyLoad 0.5.0b3.dev97之前版本存在路径遍历漏洞,该漏洞源于_safe_extractall函数使用os.path.commonprefix进行路径遍历检查,该函数执行字符级字符串比较而非路径级比较,可能导致特制tar存档将文件写入预期提取目录之外。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-35592
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-35592
请登录查看更多情报信息。
Same Patch Batch · pyload · 2026-04-07 · 4 CVEs total
| CVE-2026-35463 | 8.8 HIGH | pyLoad has Improper Neutralization of Special Elements used in an OS Command |
| CVE-2026-35464 | 7.5 HIGH | pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitr |
| CVE-2026-35586 | 6.8 MEDIUM | Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in |
IV. Related Vulnerabilities
Same product: pyload
- CVE-2026-41133
pyLoad has Stale Session Privilege After Role/Permission Cha - CVE-2026-40594
pyLoad: Session Cookie Security Downgrade via Untrusted X-Fo - CVE-2026-40071
pyLoad WebUI JSON permission mismatch lets ADD/DELETE users - CVE-2026-35586
Authorization Bypass for SSL Certificate/Key Configuration D - CVE-2026-35464
pyLoad has an incomplete fix for CVE-2026-33509: unprotected
Same vendor: pyload
- CVE-2026-41133
pyLoad has Stale Session Privilege After Role/Permission Cha - CVE-2026-40594
pyLoad: Session Cookie Security Downgrade via Untrusted X-Fo - CVE-2026-40071
pyLoad WebUI JSON permission mismatch lets ADD/DELETE users - CVE-2026-35586
Authorization Bypass for SSL Certificate/Key Configuration D - CVE-2026-35464
pyLoad has an incomplete fix for CVE-2026-33509: unprotected
Same weakness: CWE-22
- CVE-2026-8274
npitre cramfs-tools Directory cramfsck.c do_directory path t - CVE-2022-50956
WordPress Plugin amministrazione-aperta 3.7.3 Local File Rea - CVE-2026-8215
Industrial Application Software IAS Canias ERP RMI iasReques - CVE-2026-42605
AzuraCast: Path Traversal in `currentDirectory` Parameter En - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow
V. Comments for CVE-2026-35592
No comments yet