Pyload-Ng Project Pyload-Ng vulnerabilities

CVE-2025-53890 [CRITICAL] CWE-79 pyLoad vulnerable to XSS through insecure CAPTCHA pyLoad vulnerable to XSS through insecure CAPTCHA #### Summary An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows **unauthenticated remote attackers** to execute **arbitrary code** in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce. #

CVE-2025-7346 [HIGH] CWE-284 pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages ### Summary Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. ### Details Any unauthenticated attacker can bypass the localhost restrictions posed by the ap

CVE-2024-1240 CVE-2024-1240: An open redirection vulnerability exists in pyload/pyload version 0 An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other malicious activities. The issue is fixed in pyload-ng 0.5.0b3.dev79.

CVE-2024-47821 [HIGH] CWE-78 pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API ### Summary The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved. A file ca

CVE-2024-39205 [MEDIUM] CWE-94 pyload-ng vulnerable to RCE with js2py sandbox escape pyload-ng vulnerable to RCE with js2py sandbox escape ### Summary Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately. ### Details js2py has a vulnerability of sandbox escape assigned as [CVE-2024-28397](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape), which is used

CVE-2024-32880 [CRITICAL] CWE-434 pyLoad allows upload to arbitrary folder lead to RCE pyLoad allows upload to arbitrary folder lead to RCE ### Summary An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution ### Details example version: 0.5 file:src/pyload/webui/app/blueprints/app_blueprint.py ```python @bp.route("/render/", endpoint="render") def render(filename): mimetype = mimetypes.guess_type(filename)[0] or "

CVE-2024-24808 [MEDIUM] CWE-601 pyLoad open redirect vulnerability due to improper validation of the is_safe_url function pyLoad open redirect vulnerability due to improper validation of the is_safe_url function ### Summary Open redirect vulnerability due to incorrect validation of input values when redirecting users after login. ### Details pyload is validating URLs via the `get_redirect_url` function when redirecting users at login. The URL entered in the `next` variable goes through the `

CVE-2024-22416 [HIGH] CWE-352 CVE-2024-22416: pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows an pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF

CVE-2024-21644 [HIGH] CWE-284 pyload Unauthenticated Flask Configuration Leakage vulnerability pyload Unauthenticated Flask Configuration Leakage vulnerability ### Summary Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. ### Details Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. ### PoC Run `pyload` in the default configuration by running the following

CVE-2024-21645 [MEDIUM] CWE-74 pyload Log Injection vulnerability pyload Log Injection vulnerability ### Summary A log injection vulnerability was identified in `pyload`. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. ### Details `pyload` will generate a log entry when attempting to sign in with faulty credentials. This entry will be in the form of `Login failed for user 'USERNAME'`. However, when supplied with a username co

CVE-2023-47890 [HIGH] CWE-22 Download to arbitrary folder can lead to RCE Download to arbitrary folder can lead to RCE ### Summary A web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts. ### Details When a user creates a new package, a subdirectory is created within the /downloads folder to store files. This new directory name is derived from the package name, except a filter is applied to make sure it can't traverse directories and stays wi

CVE-2023-0509 [HIGH] CWE-295 CVE-2023-0509: Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44. Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.

CVE-2023-0488 [MEDIUM] CWE-79 CVE-2023-0488: Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42. Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.

CVE-2023-0435 [CRITICAL] CWE-1125 Excessive Attack Surface in pyload-ng Excessive Attack Surface in pyload-ng Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.

CVE-2023-0434 [MEDIUM] CWE-20 Improper Input Validation in pyload-ng Improper Input Validation in pyload-ng Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.

CVE-2023-0297 [CRITICAL] CWE-94 Code Injection in pyload-ng Code Injection in pyload-ng Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.

CVE-2023-0057 [MEDIUM] CWE-1021 CVE-2023-0057: Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5 Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.

CVE-2023-0055 [MEDIUM] CWE-319 Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. This issue is patched in versio