Path traversal in SABnzbd - CVE-2021-29488

 

Path traversal in SABnzbd - CVE-2021-29488

Published: May 7, 2021 / Updated: June 29, 2026


Vulnerability identifier: #VU135817
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-29488
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: SABnzbd
Affected software:
SABnzbd

Detailed vulnerability description

The vulnerability allows a remote attacker to create files outside the configured download folder.

The vulnerability exists due to improper path restriction in filesystem.renamer() when processing malicious PAR2 files from a downloaded NZB. A remote attacker can supply a crafted NZB that retrieves malicious PAR2 files to create files outside the configured download folder.

Exploitation requires the target to add a crafted NZB to the download queue, including through automated third-party integrations. The issue is limited to creating new files and does not allow overwriting, modifying, or deleting existing files.


How to mitigate CVE-2021-29488

Install security update from vendor's website.

Sources