CVE-2025-55156SQL Injection in Pyload

CWE-89SQL Injection4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 89.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PyloadPyload-ng Project Pyload-ng
Timeline
PublishedAug 11
Latest updateAug 12

Description

pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5pyload/pyload< 0.5.0b3.dev91
PyPIpyload-ng_project/pyload-ng< 0.5.0b3.dev91

🔴Vulnerability Details

3
GHSA
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter2025-08-12
OSV
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter2025-08-12
CVEList
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter2025-08-11
CVE-2025-55156 — SQL Injection in Pyload | cvebase