pyLoad, Path Traversal, CVE-2026-29778 (High)

Listen to this Post

The vulnerability in pyLoad, identified as CVE-2026-29778, resides in the `edit_package()` function found within the `json_blueprint.py` file. This function handles user input for the `pack_folder` parameter, which is used to set the storage directory for a download package. The developers attempted to implement a security measure to prevent path traversal attacks by performing a single-pass string replacement of the `”../”` sequence. However, this sanitization is insufficient. An attacker can bypass this filter by using crafted recursive traversal sequences. For example, a payload like `”….//”` bypasses the filter because the simple replacement of `”../”` does not catch the nested pattern. After the first pass, the string might transform into "../", which then becomes a valid traversal sequence. This allows an authenticated user to manipulate the `pack_folder` value to point to an arbitrary directory on the system, outside the intended download folder. By controlling where files are downloaded and stored, the attacker can write files to sensitive locations. This can be chained with other functionalities, such as writing a malicious script into a directory monitored by pyLoad’s script execution engine. When the script is triggered (e.g., after a download finishes), it executes with the privileges of the pyLoad process, leading to remote code execution (RCE) on the server. The issue affects pyLoad versions from 0.5.0b3.dev13 up to, but not including, 0.5.0b3.dev97. The vulnerability has been addressed in version 0.5.0b3.dev97 by implementing more robust path sanitization and validation.

DailyCVE Form:

Platform: pyLoad
Version: 0.5.0b3.dev13-dev96
Vulnerability: Path Traversal
Severity: HIGH
Date: 2026-03-07

Prediction: Patch by 2026-04-01

What Undercode Say:

Analytics:

`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L (7.1)`

`CWE-23: Relative Path Traversal`

`EPSS Probability: 0.26% (49th percentile)`

`Patch Commit: 0.5.0b3.dev97`

Bash Commands:

Identify vulnerable instance version
pyload --version
Example of bypassing filter with recursive traversal (conceptual)
curl -X POST http://target:8000/json/edit_package \
-b "session=YOUR_SESSION_COOKIE" \
-d "pack_id=123&pack_name=Malicious&pack_folder=....//....//....//config/scripts/download_finished/&pack_pws="
Setup listener for reverse shell (if RCE is achieved)
nc -lvnp 9999

Exploit:

The core of the exploit is the filter bypass. The developer’s attempt to remove `”../”` is a single pass, so an attacker sends "....//". The filter removes the middle "../", leaving "../", which the system then uses to traverse directories. An authenticated attacker edits a package and sets its folder to a path like "....//....//....//etc/cron.d/". When the package downloads a file, it writes it to the system’s cron directory, potentially creating a scheduled job for execution.

Protection from this CVE:

  1. Update pyLoad to version `0.5.0b3.dev97` or later, which contains the official patch.
  2. Implement Input Validation: Use a secure programming library function to canonicalize paths (e.g., os.path.abspath) and verify that the user-supplied path is a subdirectory of the intended base directory before use.
  3. Least Privilege: Run the pyLoad process with the minimum necessary filesystem permissions to limit the impact of a successful file write.

Impact:

  • Arbitrary File Write: Write malicious files to any location on the server.
  • Remote Code Execution (RCE): Achieved by writing files (like scripts or cron jobs) that are later executed by the system.
  • Privilege Escalation: If pyLoad runs with high privileges, an attacker can leverage this to gain full control of the host system.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top