Linux Distros Unpatched Vulnerability : CVE-2026-40491

🗓️ 18 Apr 2026 00:00:00Reported by TenableType

gdown before 5.2.2 vulnerable to path traversal in extractall, risk RCE.

Reporter	Title	Published	Views	Family All 21
ATTACKERKB	CVE-2026-40491	18 Apr 202601:36	–	attackerkb
Chainguard	CVE-2026-40491 vulnerabilities	23 Apr 202619:27	–	cgr
Circl	CVE-2026-40491	12 Apr 202606:08	–	circl
CNNVD	gdown 安全漏洞	18 Apr 202600:00	–	cnnvd
CVE	CVE-2026-40491	18 Apr 202601:36	–	cve
Cvelist	CVE-2026-40491 gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall	18 Apr 202601:36	–	cvelist
Debian CVE	CVE-2026-40491	18 Apr 202601:36	–	debiancve
EUVD	EUVD-2026-23642	18 Apr 202601:36	–	euvd
Github Security Blog	gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall	14 Apr 202601:11	–	github
NVD	CVE-2026-40491	18 Apr 202603:16	–	nvd

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2026-40491
ubuntu	www.ubuntu.com/security/CVE-2026-40491
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(307439);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/22");

  script_cve_id("CVE-2026-40491");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-40491");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path
    Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR
    archive, the library fails to sanitize or validate the filenames of the archive members. This allow files
    to be written outside the intended destination directory, potentially leading to arbitrary file overwrite
    and Remote Code Execution (RCE). Version 5.2.2 contains a fix. (CVE-2026-40491)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-40491");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-40491");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-40491");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/04/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:gdown");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:gdown");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Debian Linux-13", "Host/OS/Ubuntu Linux-25.10");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-13": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "13",
        "pkgs": [
          {"reference": "gdown"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.10": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.10",
        "pkgs": [
          {"reference": "gdown"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

22 May 2026 00:00Current

6Medium risk

Vulners AI Score6

CVSS 3.16.5 - 7.8

EPSS0.00077

SSVC