CVE-2026-40491
Medium
Low
Medium
High
Critical
6.5
CVSS Score
Vulnerability Description
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
R
Scope
U
Confidentiality
N
Integrity
H
Availability
N
References & Resources
-
https://github.com/wkentaro/gdown/commit/af569fc6ed300b7974dee66dc51e9f01b57b4dffsecurity-advisories@github.com
-
https://github.com/wkentaro/gdown/releases/tag/v5.2.2security-advisories@github.com
-
https://github.com/wkentaro/gdown/security/advisories/GHSA-76hw-p97h-883fsecurity-advisories@github.com
Severity Details
6.5
out of 10.0
Medium
Weakness Type (CWE)
CWE-22
Top 25 #6
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Description
- The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can…
- Exploit Likelihood
- High
- Typical Severity
- High
- OWASP Top 10
- A01:2021-Broken Access Control
- Abstraction Level
- Base
Key Information
- Published Date
- April 18, 2026
