CVE-2026-35592

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97.

How to fix CVE-2026-35592

To remediate CVE-2026-35592, upgrade the affected package to a fixed version below.

• —upgrade to 0.5.0b3.dev97 or later
• —upgrade to 0.5.0b3.dev97 or later

Is CVE-2026-35592 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 0.5.0b3.dev97
• from 0, < 0.5.0b3.dev97

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-35592
• PATCHgithub.com/pyload/pyload
• WEBgithub.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-124.yaml