Pyload-Ng Project Pyload-Ng vulnerabilities
46 known vulnerabilities affecting pyload-ng_project/pyload-ng.
Total CVEs
46
CISA KEV
0
Public exploits
4
Exploited in wild
1
Severity breakdown
CRITICAL8HIGH18MEDIUM19UNKNOWN1
Vulnerabilities
Page 2 of 3
CVE-2024-32880P3CRITICAL≥ 0, ≤ 0.5.02024-04-24
CVE-2024-32880 [CRITICAL] CWE-434 pyLoad allows upload to arbitrary folder lead to RCE
pyLoad allows upload to arbitrary folder lead to RCE
### Summary
An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution
### Details
example version: 0.5
file:src/pyload/webui/app/blueprints/app_blueprint.py
```python
@bp.route("/render/", endpoint="render")
def render(filename):
mimetype = mimetypes.guess_type(filename)[0] or "
ghsaosv
CVE-2026-45348P3HIGH≥ 0, ≤ 0.5.0b3.dev992026-05-14
CVE-2026-45348 [HIGH] CWE-79 pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal
pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal
## Summary
The `packages.js` template at `src/pyload/webui/app/themes/modern/templates/js/packages.js:172` interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via `$(div).html(html)`
ghsa
CVE-2026-33992P3CRITICAL≥ 0, ≤ 0.5.0b3.dev962026-03-27
CVE-2026-33992 [CRITICAL] CWE-918 pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
## Summary
PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalO
ghsaosv
CVE-2026-42315P3MEDIUMCVSS 6.5fixed in 0.5.0b3.dev1002026-05-11
CVE-2026-42315 [MEDIUM] CWE-22 CVE-2026-42315: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when p
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vu
ghsanvd
CVE-2025-57751P3HIGH≥ 0, < 0.5.0b3.dev922025-08-21
CVE-2025-57751 [HIGH] CWE-400 Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs
Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs
Dear Maintainers,
I am writing to you on behalf of the Tencent AI Sec. We have identified a potential vulnerability in one of your products and would like to report it to you for further investigation and mitigation.
### Summary
The `jk` parameter is received in pyLoad CNL Blueprint. Due to the lack of `jk` parameter verification,
ghsaosv
CVE-2026-42312P3MEDIUMCVSS 6.8fixed in 0.5.0b3.dev1002026-05-11
CVE-2026-42312 [MEDIUM] CVE-2026-42312: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the se
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authen
ghsanvd
CVE-2026-35586P3MEDIUMCVSS 6.8≤ 0.5.0b3.dev962026-04-07
CVE-2026-35586 [MEDIUM] CWE-863 CVE-2026-35586: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADM
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evalu
ghsanvdosv
CVE-2026-29778P3MEDIUMCVSS 6.5≥ 0.5.0b3.dev13, < 0.5.0b3.dev972026-03-07
CVE-2026-29778 [MEDIUM] CWE-23 CVE-2026-29778: pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences.
ghsanvdosv
CVE-2026-33314P3MEDIUMCVSS 6.5fixed in 0.5.0b3.dev972026-03-24
CVE-2026-33314 [MEDIUM] CWE-287 CVE-2026-33314: pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97,
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downl
ghsanvdosv
CVE-2026-45306P3HIGHCVSS 8.8≥ 0, ≤ 0.5.0b3.dev992026-05-14
CVE-2026-45306 [HIGH] CWE-706 pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad
pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad
## Summary
The fix for CVE-2026-33509 prevents setting `storage_folder` inside `PKGDIR` or `userdir`, but does NOT protect the Flask session directory (`/tmp/pyLoad/flask`). An authenticated attacker can set `storage_folder` to the session directory and download sessio
ghsa
CVE-2023-0509P3HIGHCVSS 7.4fixed in 0.5.0b3.dev442023-01-26
CVE-2023-0509 [HIGH] CWE-295 CVE-2023-0509: Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.
Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.
ghsanvdosv
CVE-2026-42314P3MEDIUMCVSS 6.5fixed in 0.5.0b3.dev1002026-05-11
CVE-2026-42314 [MEDIUM] CWE-22 CVE-2026-42314: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, packag
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.
ghsanvd
CVE-2026-35592P3MEDIUMCVSS 6.5≤ 0.5.0b3.dev962026-04-07
CVE-2026-35592 [MEDIUM] CVE-2026-35592: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _sa
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to wri
ghsanvdosv
CVE-2023-0434P3MEDIUM≥ 0, < 0.5.0b3.dev402023-01-22
CVE-2023-0434 [MEDIUM] CWE-20 Improper Input Validation in pyload-ng
Improper Input Validation in pyload-ng
Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.
ghsaosv
CVE-2023-0435P3CRITICAL≥ 0, < 0.5.0b3.dev412023-01-23
CVE-2023-0435 [CRITICAL] CWE-1125 Excessive Attack Surface in pyload-ng
Excessive Attack Surface in pyload-ng
Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.
ghsaosv
CVE-2026-44226P4MEDIUM≥ 0, < 0.5.0b3.dev1002026-05-06
CVE-2026-44226 [MEDIUM] CWE-209 PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
### Summary
`pyload-ng` WebUI returns full Python traceback details to clients on unhandled exceptions.
Because `/web/` is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for e
ghsa
CVE-2023-0227P4MEDIUMCVSS 6.5≥ 0, ≤ 0.5.0b3.dev972026-04-14
[MEDIUM] CWE-613 pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
### Summary
pyLoad caches `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database.
As a result, an already logged-in user can keep old (revoked) privileges until logo
ghsaosv
CVE-2024-1240P4UNKNOWN≥ 0, < fe94451dcc2be90b3889e2fd9d07b483c8a6dccd2024-11-15
CVE-2024-1240 CVE-2024-1240: An open redirection vulnerability exists in pyload/pyload version 0
An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other malicious activities. The issue is fixed in pyload-ng 0.5.0b3.dev79.
osv
CVE-2026-40071P4MEDIUM≥ 0, ≤ 0.5.0b32026-04-08
CVE-2026-40071 [MEDIUM] CWE-285 pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
### Summary
Several WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute `MODIFY` operations that should be denied by pyLoad's own permission model.
Confirmed mismatches:
-
ghsa
CVE-2026-46561P4MEDIUM≥ 0, < 0.5.0b3.dev1002026-05-21
CVE-2026-46561 [MEDIUM] CWE-918 pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API
pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API
## Summary
The SSRF mitigation added in commit `33c55da` for GHSA-7gvf-3w72-p2pg is incomplete. The `PREREQFUNCTION`-based private IP check was correctly applied to `HTTPChunk` (download path) but not to `HTTPRequest` (used by the `parse_urls` API). An authenticated attacker can supply a URL pointing to an attacker-controlled server that responds
ghsa