CVE-2026-33511Authorization Bypass Through User-Controlled Key in Project Pyload-ng

CWE-639Authorization Bypass Through User-Controlled Key2 documents2 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 68.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pyload-ng Project Pyload-ngPyload
Timeline
PublishedMar 24

Description

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N

Affected Packages3 packages

NVDpyload-ng_project/pyload-ng0.5.0a5.dev5280.5.0b3.dev97
NVDpyload/pyload0.4.20
CVEListV5pyload/pyload>= 0.4.20, < 0.5.0b3.dev97

🔴Vulnerability Details

1
CVEList
pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad2026-03-24
CVE-2026-33511 — Project Pyload-ng vulnerability | cvebase