SCA: security update for gdown (GHSA-76hw-p97h-883f)

high Tenable Cloud Security Plugin ID 440330

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path
Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR
archive, the library fails to sanitize or validate the filenames of the archive members. This allow files
to be written outside the intended destination directory, potentially leading to arbitrary file overwrite
and Remote Code Execution (RCE). Version 5.2.2 contains a fix. (CVE-2026-40491)

Solution

Update the gdown library and its related packages to version 5.2.2 or later.

See Also

https://github.com/advisories/GHSA-76hw-p97h-883f

Plugin Details

Severity: High

ID: 440330

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 4/14/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-40491

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/14/2026

Vulnerability Publication Date: 4/14/2026

Reference Information

CVE: CVE-2026-40491

cwe: CWE-22