101 matches found
Linux Distros Unpatched Vulnerability : CVE-2026-41140
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path...
CVE-2026-41140
A flaw was found in Poetry, a dependency manager for Python. This vulnerability allows a remote attacker to perform a path traversal attack. By crafting a malicious software package, the extractall function in Poetry can be tricked into writing files to unintended locations on the system. This...
EUVD-2026-25578
Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supporte...
Directory Traversal
Overview poetry is a Python dependency management and packaging made easy. Affected versions of this package are vulnerable to Directory Traversal via the extractall function in src/poetry/utils/helpers.py that extracts sdist tarballs without path traversal protection on Python versions where...
CVE-2026-40491
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...
Exploit for Path Traversal in Python
CVE-2007-4559 — TarSlip: The 15-Year Directory Traversal...
CVE-2026-40491 gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...
CVE-2026-40491
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...
CVE-2026-40491
CVE-2026-40491 affects the gdown library (Python) prior to 5.2.2. A path traversal flaw in the extractall function fails to sanitize archive member filenames, allowing files to be written outside the destination directory and potentially enabling arbitrary file overwrite and Remote Code Execution...
CVE-2026-40491
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...
EUVD-2026-23642
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...
CVE-2026-40491 gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...
CVE-2026-40491 gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...
gdown 安全漏洞
gdown is a Google Drive file download tool developed by Kentaro Wada. Versions of gdown prior to 5.2.2 contained security vulnerabilities; these vulnerabilities stemmed from the extractall function’s path traversal vulnerability, which could lead to arbitrary file overwriting and remote code...
Linux Distros Unpatched Vulnerability : CVE-2026-40491
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. Wh...
GHSA-76HW-P97H-883F gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall
Summary The gdown library tested on v5.2.1 is vulnerable to a Path Traversal attack within its extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside...
gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall
Summary The gdown library tested on v5.2.1 is vulnerable to a Path Traversal attack within its extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside...
Directory Traversal
Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Directory Traversal in the safeextractall function. An attacker can write files outside the intended extraction directory by crafting a malicious tar archiv...
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
Summary The safeextractall function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended...
CVE-2026-39306
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains ../...