CVE-2025-61773 — Injection in Pyload

CWE-74 — Injection CWE-79 — Cross-site Scripting CWE-94 — Code Injection CWE-116 — Improper Encoding or Escaping of Output4 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.0%

top 86.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyload Pyload-ng Project Pyload-ng

Timeline

PublishedOct 9

Description

pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unint…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5pyload/pyload< 0.5.0b3.dev91

▶PyPIpyload-ng_project/pyload-ng< 0.5.0b3.dev91

🔴Vulnerability Details

GHSA

pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters↗2025-10-09

▶

CVEList

pyLoad CNL and captcha handlers allow code Injection via unsanitized parameters↗2025-10-09

▶

OSV

pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters↗2025-10-09

▶