CVE-2025-7346 — Improper Preservation of Permissions in Pyload

CWE-281 — Improper Preservation of Permissions CWE-284 — Improper Access Control CWE-290 — Authentication Bypass by Spoofing4 documents4 sources

Severity

8.7HIGHNVD

EPSS

0.3%

top 43.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyload Pyload-ng Project Pyload-ng

Timeline

PublishedJul 8

Description

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5pyload/pyload0.5.0b3.dev77

▶PyPIpyload-ng_project/pyload-ng0.5.0b3.dev88

🔴Vulnerability Details

OSV

pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages↗2025-07-08

▶

GHSA

pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages↗2025-07-08

▶

CVEList

CVE-2025-7346: Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages↗2025-07-08

▶