cbcvebase.
CVE-2024-21644
published 2024-01-08

CVE-2024-21644: pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config…

PriorityP269high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
42.17%
98.5th percentile
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.

Affected

4 ranges
VendorProductVersion rangeFixed in
pyload-ng_projectpyload-ng>= 0 < 0.5.0b3.dev770.5.0b3.dev77
pyloadpyload< 0.5.0b3.dev770.5.0b3.dev77
pyloadpyload<= 0.4.9
pyloadpyload

Detection & IOCsextracted from sources · hover to see the quote

url/render/info.html
cookiepyload_session
  • Unauthenticated GET request to /render/info.html returns HTTP 200 with Flask config contents including 'SECRET_KEY': and 'pyload_session' in the response body — indicates successful exploitation of the config disclosure.
  • Shodan/FOFA/ZoomEye fingerprinting queries for exposed pyLoad instances: search for html:"pyload", http.title:"login - pyload", or app="pyLoad" to identify potentially vulnerable targets.
  • ·The vulnerability exists in pyLoad versions prior to 0.5.0b3.dev77; the /render/info.html endpoint is only exploitable unauthenticated on unpatched instances.
  • ·Successful exploitation exposes the Flask SECRET_KEY, enabling potential session forgery/hijacking via the pyload_session cookie.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.