CVE-2026-33314 — Improper Authentication in Pyload

CWE-287 — Improper Authentication CWE-346 — Origin Validation Error5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 99.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyload Pyload-ng Project Pyload-ng

Timeline

PublishedMar 24

Description

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

▶CVEListV5pyload/pyload< 0.5.0b3.dev97

▶NVDpyload-ng_project/pyload-ng< 0.5.0b3.dev97

▶PyPIpyload-ng_project/pyload-ng< 0.5.0b3.dev97

🔴Vulnerability Details

CVEList

pyload-ng: Improper Authentication and Origin Validation Error↗2026-03-24

▶

GHSA

Improper Authentication and Origin Validation Error in pyload-ng↗2026-03-19

▶

OSV

Improper Authentication and Origin Validation Error in pyload-ng↗2026-03-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33314 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶