Path traversal in SABnzbd - CVE-2021-29488
Published: May 7, 2021 / Updated: June 29, 2026
SABnzbd
Detailed vulnerability description
The vulnerability allows a remote attacker to create files outside the configured download folder.
The vulnerability exists due to improper path restriction in filesystem.renamer() when processing malicious PAR2 files from a downloaded NZB. A remote attacker can supply a crafted NZB that retrieves malicious PAR2 files to create files outside the configured download folder.
Exploitation requires the target to add a crafted NZB to the download queue, including through automated third-party integrations. The issue is limited to creating new files and does not allow overwriting, modifying, or deleting existing files.