CVE-2026-44226
published 2026-05-11CVE-2026-44226: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients…
PriorityP434medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.34%
25.4th percentile
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/ is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in 0.5.0b3.dev100.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | >= 0 < 0.5.0b3.dev100 | 0.5.0b3.dev100 |
| pyload | pyload | < 0.5.0b3.dev100 | 0.5.0b3.dev100 |
| pyload | pyload | < 2026-04-13 | 2026-04-13 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
pyLoad up to 0.5.0b3.dev98 /web/ information exposure
vuldb·2026-05-11·CVSS 5.3
CVE-2026-44226 [MEDIUM] pyLoad up to 0.5.0b3.dev98 /web/ information exposure
A vulnerability identified as problematic has been detected in pyLoad. This impacts an unknown function of the file /web/. Performing a manipulation results in information exposure through error message.
This vulnerability is cataloged as CVE-2026-44226. It is possible to initiate the attack remotely. There is no exploit available.
You should upgrade the affected component.
GHSA
PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
ghsa·2026-05-06
CVE-2026-44226 [MEDIUM] CWE-209 PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
### Summary
`pyload-ng` WebUI returns full Python traceback details to clients on unhandled exceptions.
Because `/web/` is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response.
### Details
The issue is caused by the combination of:
1. Unauthenticated template-render route:
- `src/pyload/webui/app/blueprints/app_blueprint.py:32-36`
- `@bp.route("/web/", endpoint="web")`
- `data = render_template(filename)` with user-controlled `filename`
- no `@login_required(...)` on this route
2. Global excepti
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-11
Published