CVE-2026-42315: pyLoad Directory Traversal Puts Data at Risk

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-22cwe-36
CVE-2026-42315: pyLoad Directory Traversal Puts Data at Risk

The National Vulnerability Database (NVD) has detailed CVE-2026-42315, a high-severity directory traversal vulnerability in pyLoad, a free and open-source download manager. This flaw, present in versions prior to 0.5.0b3.dev100, allows an authenticated attacker with Perms.MODIFY privileges to specify arbitrary download locations. This is not some theoretical exploit; it’s a direct path for an attacker to write files anywhere on the system.

The vulnerability stems from a complete lack of sanitization when passing a folder name via the set_package_data() API function. An attacker can manipulate the _folder key within the data object, effectively bypassing security controls and dictating where package files are stored. The CVSSv3.1 score of 8.1 (High) underscores the critical impact, primarily due to high integrity and availability impacts (I:H/A:H). This isn’t just about data exfiltration; it’s about system compromise.

For defenders, this means understanding that even seemingly innocuous internal tools can harbor critical flaws. An attacker who gains a foothold and escalates to Perms.MODIFY on a pyLoad instance can drop malicious payloads in sensitive directories, overwrite critical system files, or disrupt operations entirely. It’s a classic case of improper input validation leading to catastrophic consequences. The fix is available in pyLoad version 0.5.0b3.dev100, addressing CWE-22 (Path Traversal) and CWE-36 (Absolute Path Traversal).

What This Means For You

  • If your organization uses pyLoad, check your deployed versions immediately. Prioritize upgrading to 0.5.0b3.dev100 or later to patch CVE-2026-42315. Audit user permissions on pyLoad instances and restrict `Perms.MODIFY` to only trusted administrators. Attackers will leverage authenticated flaws like this to expand their reach once inside your perimeter.

Related ATT&CK Techniques

T1646 Vulnerable Application Initial Access T1578.002 Data Destruction Impact

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1578.002 Defense Evasion

CVE-2026-42315: pyLoad Directory Traversal via set_package_data API

Sigma YAML — free preview 
title: CVE-2026-42315: pyLoad Directory Traversal via set_package_data API
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-42315 by identifying API calls to '/set_package_data' that include '_folder' and directory traversal characters ('../') in the query string. This indicates an attempt to manipulate download locations to arbitrary directories.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42315/
tags:
  - attack.defense_evasion
  - attack.t1578.002
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/set_package_data'
      cs-uri-query|contains:
          - '_folder'
      cs-uri-query|contains:
          - '../'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42315 Path Traversal pyLoad < 0.5.0b3.dev100
CVE-2026-42315 Path Traversal Vulnerable function: set_package_data() API with '_folder' key
CVE-2026-42315 Path Traversal Affected component: pyLoad download manager

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability

CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....

vulnerabilityCVEhigh-severityauthentication-bypasscwe-287cwe-288
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8320 — Jishenghua JshERP Server-Side Request Forgery

CVE-2026-8320 — A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py...

vulnerabilityCVEmedium-severitycwe-400cwe-404
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 2 Sigma