16 matches found
ROS-20260417-73-0013
A vulnerability in the commonprefix function of the pip module of the Python programming language is related to an incorrect directory path name restriction. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to add and modify arbitrary files...
EUVD-2026-19738
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar.safeextractall via os.path.commonprefix Bypass...
GHSA-MVWX-582F-56R7 pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
Summary The safeextractall function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended...
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
Summary The safeextractall function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended...
PYSEC-2026-124
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the safeextractall function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix for its path traversal check, which performs character-level string comparison rather than path-level...
PYSEC-2026-124
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the safeextractall function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix for its path traversal check, which performs character-level string comparison rather than path-level...
CVE-2026-35592
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the safeextractall function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix for its path traversal check, which performs character-level string comparison rather than path-level...
CVE-2026-35592 pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the safeextractall function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix for its path traversal check, which performs character-level string comparison rather than path-level...
CVE-2026-35592 pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the safeextractall function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix for its path traversal check, which performs character-level string comparison rather than path-level...
CVE-2026-35592
Technical details (affected versions, root cause, exploitability, and mitigations) are not publicly provided in the supplied documents; monitor for updates.
PT-2026-30897
Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev97 Description pyLoad is a free and open-source download manager written in Python. The safe extractall function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix for path traversal checks,...
CVE-2026-29790
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safeextract function used when extracting tarball archives. The function uses os.path.commonprefix to validate that...
Path Traversal
dbt-common is vulnerable to Path traversal. The vulnerability is due to the use of os.path.commonprefix for validating extraction paths, where commonprefix compares paths character‑by‑character rather than by path components, and an attacker can exploit this by providing a malicious tarball that...
CVE-2026-29790
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safeextract function used when extracting tarball archives. The function uses os.path.commonprefix to validate that...
Directory Traversal
mobsf is vulnerable to Directory Traversal. The vulnerability is due to improper string path verification using os.path.commonprefix, which allows an attacker to download files outside the intended DWDDIR directory and access data from neighboring directories...
CVE-2025-58161 MobSF Path Traversal in GET /download/<filename> using absolute filenames
MobSF is a mobile application security testing tool used. In version 4.4.0, the GET /download/ route uses string path verification via os.path.commonprefix, which allows an authenticated user to download files outside the DWDDIR download directory from "neighboring" directories whose absolute pat...