Pyload-Ng Project Pyload-Ng vulnerabilities

CVE-2026-40594 [MEDIUM] CWE-346 pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) ## Summary The `set_session_cookie_secure` `before_request` handler in `src/pyload/webui/app/__init__.py` reads the `X-Forwarded-Proto` header from any HTTP request without validating that the request originates from

[MEDIUM] CWE-613 pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) ### Summary pyLoad caches `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logo

CVE-2026-35592 [CRITICAL] CWE-22 pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass ## Summary The `_safe_extractall()` function in `src/pyload/plugins/extractors/UnTar.py` uses `os.path.commonprefix()` for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially cr

CVE-2026-40071 [MEDIUM] CWE-285 pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions ### Summary Several WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute `MODIFY` operations that should be denied by pyLoad's own permission model. Confirmed mismatches: -

CVE-2026-35586 [MEDIUM] CWE-863 pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng ## Summary The `ADMIN_ONLY_CORE_OPTIONS` authorization set in `set_config_value()` uses incorrect option names `ssl_cert` and `ssl_key`, while the actual configuration option names are `ssl_certfile` and `ssl_keyfile`. This name mismatch causes

CVE-2026-35459 [CRITICAL] CWE-918 pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992) pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992) ## Summary The fix for CVE-2026-33992 (GHSA-m74m-f7cr-432x) added IP validation to `BaseDownloader.download()` that checks the hostname of the initial download URL. However, pycurl is configured with `FOLLOWLOCATION=1` and `MAXREDIRS=10`, causing it to automatically

CVE-2026-35187 [HIGH] CWE-918 pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter ## Vulnerability Details **CWE-918**: Server-Side Request Forgery (SSRF) The `parse_urls` API function in `src/pyload/core/api/__init__.py` (line 556) fetches arbitrary URLs server-side via `get_url(url)` (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can:

CVE-2026-35463 [HIGH] CWE-78 pyLoad: Improper Neutralization of Special Elements used in an OS Command pyLoad: Improper Neutralization of Special Elements used in an OS Command ### Summary The `ADMIN_ONLY_OPTIONS` protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is **only applied to core config options**, not to plugin config options. The `AntiVirus` plugin stores an executable

CVE-2026-35464 [HIGH] CWE-502 pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) ## Summary The fix for CVE-2026-33509 (GHSA-r7mc-x6x7-cqxx) added an `ADMIN_ONLY_OPTIONS` set to block non-admin users from modifying security-critical config options. The `storage_fol

CVE-2026-33992 [CRITICAL] CWE-918 pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration ## Summary PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalO

CVE-2026-33509 [HIGH] CWE-269 CVE-2026-33509: pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before ve pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subpr

CVE-2026-33511 [HIGH] CWE-639 CVE-2026-33511: pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before v pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to

CVE-2026-33314 [MEDIUM] CWE-287 CVE-2026-33314: pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downl

CVE-2026-32808 [HIGH] CWE-22 CVE-2026-32808: pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 a pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives

CVE-2026-29778 [MEDIUM] CWE-23 CVE-2026-29778: pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0 pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences.

CVE-2025-61773 [HIGH] CWE-116 pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters ### Summary pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate

CVE-2025-57751 [HIGH] CWE-400 Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs Dear Maintainers, I am writing to you on behalf of the Tencent AI Sec. We have identified a potential vulnerability in one of your products and would like to report it to you for further investigation and mitigation. ### Summary The `jk` parameter is received in pyLoad CNL Blueprint. Due to the lack of `jk` parameter verification,

CVE-2025-55156 [HIGH] CWE-89 PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter ### Summary The parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage. ### Details - Affected file：https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271 - Affected code

CVE-2025-54802 [CRITICAL] CWE-22 CVE-2025-54802: pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev8 pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path const

CVE-2025-54140 [HIGH] CWE-22 `pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write `pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write ## Summary An **authenticated path traversal vulnerability** exists in the `/json/upload` endpoint of the `pyLoad` By **manipulating the filename of an uploaded file**, an attacker can traverse out of the intended upload directory, allowing them to **write arbitrary f