CVE-2026-32808

HighPublic PoC

Published: 20 March 2026

Published

20 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

EPSS Score 0.0018 39.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction…

directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the path traversal flaw by requiring identification, reporting, and correction of vulnerabilities in pyLoad prior to version 0.5.0b3.dev97.

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted archive entry names derived from 7z listing output before using them as filesystem paths, preventing path traversal outside the extraction directory.

SI-4 System Monitoring partial match

detect

Enables monitoring of filesystem activity to detect unauthorized file deletions resulting from exploitation of the path traversal vulnerability.

Security SummaryAI

CVE-2026-32808 is a path traversal vulnerability (CWE-22) in pyLoad, a free and open-source download manager written in Python. Versions prior to 0.5.0b3.dev97 are affected during password verification of certain encrypted 7z archives, specifically those with encrypted files but non-encrypted headers. In this process, pyLoad derives an archive entry name from the 7z listing output and uses it as a filesystem path without restricting it to the extraction directory, enabling arbitrary file deletion outside that directory. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).

A remote attacker can exploit this vulnerability by tricking a user into adding a specially crafted encrypted 7z archive to pyLoad for password verification. No privileges are required, but user interaction is necessary, such as selecting or processing the malicious archive through the download manager's interface. Successful exploitation allows the attacker to delete arbitrary files on the victim's filesystem, with high impact on integrity and availability but no confidentiality impact.

The issue has been addressed in pyLoad version 0.5.0b3.dev97. Additional details are available in the GitHub Security Advisory at https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3.

Details

CWE(s): CWE-22

Affected Products

pyload

≤ 0.4.20

pyload-ng project

pyload-ng

0.5.0a5.dev528 — 0.5.0b3.dev97

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

The path traversal vulnerability directly enables arbitrary file deletion outside the intended directory during processing of a malicious 7z archive, mapping to T1107 File Deletion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com