MEDIUM 6.5

PYSEC-2026-128

Details

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pyload-ng

Introduced in: 0 Fixed in: 0.5.0b3.dev100

Fix pip install --upgrade 'pyload-ng>=0.5.0b3.dev100'

References

https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8 [EVIDENCE]