CVE-2026-35592: pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass

April 8, 2026

The _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the GHSA-7g4m-8hx2-4qh3 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix.

References

github.com/advisories/GHSA-mvwx-582f-56r7
github.com/pyload/pyload
github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7
nvd.nist.gov/vuln/detail/CVE-2026-35592

Code Behaviors & Features

Detect and mitigate CVE-2026-35592 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →