Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-39205Code Injection in Project Pyload-ng

CWE-94Code Injection7 documents7 sources
Severity
9.8CRITICALNVD
GHSA5.3OSV5.3
EPSS
83.9%
top 0.70%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Pyload-ng Project Pyload-ng
Timeline
PublishedOct 28
Latest updateNov 18

Description

An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

PyPIpyload-ng_project/pyload-ng0.5.0b3.dev85

🔴Vulnerability Details

3
CVEList
CVE-2024-39205: An issue in pyload-ng v02024-10-28
OSV
pyload-ng vulnerable to RCE with js2py sandbox escape2024-09-09
GHSA
pyload-ng vulnerable to RCE with js2py sandbox escape2024-09-09

💥Exploits & PoCs

1
Metasploit
Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS pyLoad Remote Code Execution via js2py Sandbox Escape (CVE-2024-39205)2024-11-18

🕵️Threat Intelligence

1
Greynoiseio
NoiseLetter March 2025
CVE-2024-39205 — Code Injection in Project Pyload-ng | cvebase