cbcvebase.

Pyload-Ng Project Pyload-Ng vulnerabilities

46 known vulnerabilities affecting pyload-ng_project/pyload-ng.

Total CVEs
46
CISA KEV
0
Public exploits
4
Exploited in wild
1
Severity breakdown
CRITICAL8HIGH18MEDIUM19UNKNOWN1

Vulnerabilities

Page 1 of 3
CVE-2023-0297P1CRITICALExploitedPoC≥ 0, < 0.5.0b3.dev312023-01-14
CVE-2023-0297 [CRITICAL] CWE-94 Code Injection in pyload-ng Code Injection in pyload-ng Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
ghsaosv
CVE-2024-39205P2MEDIUMCVSS 5.3PoC≥ 0, ≤ 0.5.0b3.dev852024-09-09
CVE-2024-39205 [MEDIUM] CWE-94 pyload-ng vulnerable to RCE with js2py sandbox escape pyload-ng vulnerable to RCE with js2py sandbox escape ### Summary Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately. ### Details js2py has a vulnerability of sandbox escape assigned as [CVE-2024-28397](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape), which is used
ghsaosv
CVE-2024-21644P2HIGHPoC≥ 0, < 0.5.0b3.dev772024-01-08
CVE-2024-21644 [HIGH] CWE-284 pyload Unauthenticated Flask Configuration Leakage vulnerability pyload Unauthenticated Flask Configuration Leakage vulnerability ### Summary Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. ### Details Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. ### PoC Run `pyload` in the default configuration by running the following
ghsaosv
CVE-2024-21645P3MEDIUMPoC≥ 0, < 0.5.0b3.dev772024-01-08
CVE-2024-21645 [MEDIUM] CWE-74 pyload Log Injection vulnerability pyload Log Injection vulnerability ### Summary A log injection vulnerability was identified in `pyload`. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. ### Details `pyload` will generate a log entry when attempting to sign in with faulty credentials. This entry will be in the form of `Login failed for user 'USERNAME'`. However, when supplied with a username co
ghsaosv
CVE-2025-54802P2CRITICALCVSS 9.8v0.5.0b3.dev892025-08-05
CVE-2025-54802 [CRITICAL] CWE-22 CVE-2025-54802: pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev8 pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path const
ghsanvdosv
CVE-2026-33511P2CRITICALCVSS 9.8≥ 0.5.0a5.dev528, < 0.5.0b3.dev972026-03-24
CVE-2026-33511 [CRITICAL] CWE-639 CVE-2026-33511: pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before v pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them
nvd
CVE-2025-53890P2CRITICAL≥ 0, < 0.202025-07-15
CVE-2025-53890 [CRITICAL] CWE-79 pyLoad vulnerable to XSS through insecure CAPTCHA pyLoad vulnerable to XSS through insecure CAPTCHA #### Summary An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows **unauthenticated remote attackers** to execute **arbitrary code** in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce. #
ghsaosv
CVE-2026-35463P2HIGHCVSS 8.8≤ 0.5.0b3.dev962026-04-07
CVE-2026-35463 [HIGH] CWE-78 CVE-2026-35463: pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, t pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config opti
ghsanvdosv
CVE-2026-33509P2HIGHCVSS 8.8≥ 0.5.0a5.dev528, < 0.5.0b3.dev972026-03-24
CVE-2026-33509 [HIGH] CWE-269 CVE-2026-33509: pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before ve pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subpr
ghsanvdosv
CVE-2026-35459P3CRITICALCVSS 9.1fixed in 0.5.0b3.dev972026-04-06
CVE-2026-35459 [CRITICAL] CVE-2026-35459: pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, p pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS
ghsanvdosv
CVE-2025-7346P3HIGH≥ 0, ≤ 0.5.0b3.dev882025-07-08
CVE-2025-7346 [HIGH] CWE-284 pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages ### Summary Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. ### Details Any unauthenticated attacker can bypass the localhost restrictions posed by the ap
ghsaosv
CVE-2026-42313P3HIGHCVSS 8.3fixed in 0.5.0b3.dev1002026-05-11
CVE-2026-42313 [HIGH] CVE-2026-42313: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the se pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") — wh
ghsanvd
CVE-2026-35187P3HIGHCVSS 7.7fixed in 0.5.0b3.dev972026-04-06
CVE-2026-35187 [HIGH] CWE-918 CVE-2026-35187: pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, t pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS r
ghsanvdosv
CVE-2023-47890P3HIGH≥ 0, < 0.5.0b3.dev752023-11-21
CVE-2023-47890 [HIGH] CWE-22 Download to arbitrary folder can lead to RCE Download to arbitrary folder can lead to RCE ### Summary A web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts. ### Details When a user creates a new package, a subdirectory is created within the /downloads folder to store files. This new directory name is derived from the package name, except a filter is applied to make sure it can't traverse directories and stays wi
ghsaosv
CVE-2025-54140P3HIGH≥ 0.5.0b3.dev89, < 0.5.0b3.dev902025-07-21
CVE-2025-54140 [HIGH] CWE-22 `pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write `pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write ## Summary An **authenticated path traversal vulnerability** exists in the `/json/upload` endpoint of the `pyLoad` By **manipulating the filename of an uploaded file**, an attacker can traverse out of the intended upload directory, allowing them to **write arbitrary f
ghsaosv
CVE-2026-35464P3HIGHCVSS 8.8≥ 0, ≤ 0.5.0b32026-04-04
CVE-2026-35464 [HIGH] CWE-502 pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) ## Summary The fix for CVE-2026-33509 (GHSA-r7mc-x6x7-cqxx) added an `ADMIN_ONLY_OPTIONS` set to block non-admin users from modifying security-critical config options. The `storage_fol
ghsaosv
CVE-2026-32808P3HIGHCVSS 8.1≥ 0.5.0a5.dev528, < 0.5.0b3.dev972026-03-20
CVE-2026-32808 [HIGH] CWE-22 CVE-2026-32808: pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 a pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives
nvd
CVE-2024-22416P3HIGHCVSS 8.8fixed in 0.5.0b3.dev782024-01-18
CVE-2024-22416 [HIGH] CWE-352 CVE-2024-22416: pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows an pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF
ghsanvdosv
CVE-2025-55156P3HIGH≥ 0, < 0.5.0b3.dev912025-08-12
CVE-2025-55156 [HIGH] CWE-89 PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter ### Summary The parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage. ### Details - Affected file:https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271 - Affected code
ghsaosv
CVE-2025-61773P3HIGH≥ 0, < 0.5.0b3.dev912025-10-09
CVE-2025-61773 [HIGH] CWE-116 pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters ### Summary pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate
ghsaosv
Pyload-Ng Project Pyload-Ng vulnerabilities | cvebase