Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-42315
8.1 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
4 packages
- python312Packages.pyloadapi
- python313Packages.pyloadapi
- python314Packages.pyloadapi
- home-assistant-component-tests.pyload
pyLoad: Path Traversal via Package Folder Name in set_package_data
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.
References
Affected products
pyload
- ==< 0.5.0b3.dev100
Matching in nixpkgs
pkgs.pyload-ng
Free and open-source download manager with support for 1-click-hosting sites
-
nixos-25.11 0.5.0b3.dev88
- nixos-25.11-small 0.5.0b3.dev88
- nixpkgs-25.11-darwin 0.5.0b3.dev88
Ignored packages (4)
pkgs.python312Packages.pyloadapi
Simple wrapper for pyLoad's API
pkgs.python313Packages.pyloadapi
Simple wrapper for pyLoad's API
pkgs.python314Packages.pyloadapi
Simple wrapper for pyLoad's API
pkgs.home-assistant-component-tests.pyload
Open source home automation that puts local control and privacy first
Package maintainers
-
@ruby0b ruby0b