{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40491", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.114Z", "datePublished": "2026-04-18T01:36:47.659Z", "dateUpdated": "2026-04-20T15:50:02.983Z"}, "containers": {"cna": {"title": "gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/wkentaro/gdown/security/advisories/GHSA-76hw-p97h-883f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wkentaro/gdown/security/advisories/GHSA-76hw-p97h-883f"}, {"name": "https://github.com/wkentaro/gdown/commit/af569fc6ed300b7974dee66dc51e9f01b57b4dff", "tags": ["x_refsource_MISC"], "url": "https://github.com/wkentaro/gdown/commit/af569fc6ed300b7974dee66dc51e9f01b57b4dff"}, {"name": "https://github.com/wkentaro/gdown/releases/tag/v5.2.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/wkentaro/gdown/releases/tag/v5.2.2"}], "affected": [{"vendor": "wkentaro", "product": "gdown", "versions": [{"version": "< 5.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:36:47.659Z"}, "descriptions": [{"lang": "en", "value": "gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix."}], "source": {"advisory": "GHSA-76hw-p97h-883f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:49:26.274715Z", "id": "CVE-2026-40491", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:50:02.983Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40491", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.114Z", "datePublished": "2026-04-18T01:36:47.659Z", "dateUpdated": "2026-04-20T15:50:02.983Z"}, "containers": {"cna": {"title": "gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/wkentaro/gdown/security/advisories/GHSA-76hw-p97h-883f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wkentaro/gdown/security/advisories/GHSA-76hw-p97h-883f"}, {"name": "https://github.com/wkentaro/gdown/commit/af569fc6ed300b7974dee66dc51e9f01b57b4dff", "tags": ["x_refsource_MISC"], "url": "https://github.com/wkentaro/gdown/commit/af569fc6ed300b7974dee66dc51e9f01b57b4dff"}, {"name": "https://github.com/wkentaro/gdown/releases/tag/v5.2.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/wkentaro/gdown/releases/tag/v5.2.2"}], "affected": [{"vendor": "wkentaro", "product": "gdown", "versions": [{"version": "< 5.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:36:47.659Z"}, "descriptions": [{"lang": "en", "value": "gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix."}], "source": {"advisory": "GHSA-76hw-p97h-883f", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40491", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T15:49:26.274715Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:49:54.248Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wkentaro:gdown:*:*:*:*:*:*:*:*", "matchCriteriaId": "39302199-72EC-47E9-B5FE-38A9845F0943", "versionEndExcluding": "5.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix."}], "id": "CVE-2026-40491", "lastModified": "2026-05-01T18:24:32.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-18T03:16:13.157", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wkentaro/gdown/commit/af569fc6ed300b7974dee66dc51e9f01b57b4dff"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/wkentaro/gdown/releases/tag/v5.2.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/wkentaro/gdown/security/advisories/GHSA-76hw-p97h-883f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "gdown", "source": "cna", "vendor": "wkentaro"}, "product": "gdown", "vendor": "wkentaro"}], "analysis": {"en": {"generated_at": "2026-04-18T08:40:20.341852+00:00", "value": {"mitigation_remediation": ["Upgrade gdown to version 5.2.2 or later, which includes the fix.", "If an upgrade is not immediately possible, restrict the extraction directory and validate or sanitize archive member names before extraction.", "For existing deployments, audit the code base for calls to extractall and eliminate or harden them, ensuring that only trusted archives are processed."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary File Overwrite / Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The library released by wkentaro under the name gdown is vulnerable in all versions before 5.2.2. Users that depend on earlier releases, such as v5.2.1 or older, are impacted. The vulnerability is relevant to Python projects that import gdown for downloading data from Google Drive.", "description_and_impact": "The gdown library contains a path traversal flaw in its extractall function, where the names of files inside ZIP or TAR archives are not validated before extraction. This allows an attacker to craft an archive that writes files outside the intended destination directory, leading to arbitrary file overwrite and the potential for remote code execution, as the overwritten files could be privileged executables or configuration files. The weakness is classified as CWE-22.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. The likely attack scenario involves an environment that uses gdown to extract archives freshly downloaded from untrusted sources; the attacker supplies a malicious archive that causes files to be written outside the target directory. If the overwritten files include executables or code that runs with elevated privileges, remote code execution becomes possible. However, exploitability depends on the user\u2019s context and the permissions of the gdown process."}}}}, "created": "2026-04-18T08:45:41.380038+00:00", "updated": "2026-04-20T14:58:49.647083+00:00", "vendors": ["wkentaro", "wkentaro$PRODUCT$gdown"]}