Intel

AIKIDO-2026-975498

psd-tools is vulnerable to Path Traversal

Path TraversalCVE-2026-49836 Published 6 days ago

59

Medium Risk

This Affects:

PYTHONpsd-tools
0.0.1 - 1.17.0
Fixed in 1.17.1
Are you affected? Scan for Free

TL;DR

The SmartObject.save() method in psd-tools writes an embedded smart object to a file path taken verbatim from the parsed PSD without sanitization. When an application extracts embedded smart objects from an untrusted PSD, the embedded name can contain an absolute path or ../ traversal sequences, causing file-supplied bytes to be written outside the intended output directory. For external-kind smart objects, the fullPath descriptor is additionally used as an arbitrary read source, so file contents can be copied into the output directory. The fix strips directory components from the embedded name, confines writes to a caller-supplied directory, and constrains external read paths.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application extracts embedded smart objects from untrusted PSD files via SmartObject.save().

Background info

psd-tools is vulnerable to Path Traversal in versions 0.0.1 - 1.17.0.

How to fix this

Upgrade the psd-tools library to the patch version.