CVE-2025-55156
published 2025-08-11CVE-2025-55156: pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is…
PriorityP349high7.8CVSS 4.0
AVNACLATNPRNUINVCNVIHVAHSCNSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.30%
22.0th percentile
pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | >= 0 < 0.5.0b3.dev91 | 0.5.0b3.dev91 |
| pyload | pyload | < 0.5.0b3.dev91 | 0.5.0b3.dev91 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
ghsa·2025-08-12
CVE-2025-55156 [HIGH] CWE-89 PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
### Summary
The parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage.
### Details
- Affected file:https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271
- Affected code:
```python
@style.queue
def update_link_info(self, data):
"""
data is list of tuples (name, size, status, url)
"""
self.c.executemany(
"UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)",
data,
)
ids = []
statuses = "','".join(x[3] for x in data)
self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')")
for r in self.c:
ids.append(int(r[0]))
return ids
````
statuses is c
OSV
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
osv·2025-08-12
CVE-2025-55156 [HIGH] PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
### Summary
The parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage.
### Details
- Affected file:https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271
- Affected code:
```python
@style.queue
def update_link_info(self, data):
"""
data is list of tuples (name, size, status, url)
"""
self.c.executemany(
"UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)",
data,
)
ids = []
statuses = "','".join(x[3] for x in data)
self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')")
for r in self.c:
ids.append(int(r[0]))
return ids
````
statuses is c
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-11
Published