CVE-2026-32808
Published: 20 March 2026
Summary
CVE-2026-32808 is a high-severity Path Traversal (CWE-22) vulnerability in Pyload Pyload. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the path traversal flaw by requiring identification, reporting, and correction of vulnerabilities in pyLoad prior to version 0.5.0b3.dev97.
Requires validation of untrusted archive entry names derived from 7z listing output before using them as filesystem paths, preventing path traversal outside the extraction directory.
Enables monitoring of filesystem activity to detect unauthorized file deletions resulting from exploitation of the path traversal vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability directly enables arbitrary file deletion outside the intended directory during processing of a malicious 7z archive, mapping to T1107 File Deletion.
NVD Description
pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction…
more
directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.
Deeper analysisAI
CVE-2026-32808 is a path traversal vulnerability (CWE-22) in pyLoad, a free and open-source download manager written in Python. Versions prior to 0.5.0b3.dev97 are affected during password verification of certain encrypted 7z archives, specifically those with encrypted files but non-encrypted headers. In this process, pyLoad derives an archive entry name from the 7z listing output and uses it as a filesystem path without restricting it to the extraction directory, enabling arbitrary file deletion outside that directory. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).
A remote attacker can exploit this vulnerability by tricking a user into adding a specially crafted encrypted 7z archive to pyLoad for password verification. No privileges are required, but user interaction is necessary, such as selecting or processing the malicious archive through the download manager's interface. Successful exploitation allows the attacker to delete arbitrary files on the victim's filesystem, with high impact on integrity and availability but no confidentiality impact.
The issue has been addressed in pyLoad version 0.5.0b3.dev97. Additional details are available in the GitHub Security Advisory at https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3.
Details
- CWE(s)