cbcvebase.

Pyload vulnerabilities

41 known vulnerabilities affecting pyload/pyload.

Total CVEs
41
CISA KEV
0
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL5HIGH18MEDIUM17LOW1

Vulnerabilities

Page 1 of 3
CVE-2023-0297P1CRITICALCVSS 9.8ExploitedPoC≤ 0.4.202023-01-14
CVE-2023-0297 [CRITICAL] CWE-94 CVE-2023-0297: Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31. Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
nvd
CVE-2024-21644P2HIGHCVSS 7.5PoC≤ 0.4.9v0.5.0+1 more2024-01-08
CVE-2024-21644 [HIGH] CWE-284 CVE-2024-21644: pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.
nvd
CVE-2024-21645P3MEDIUMCVSS 5.3PoC≤ 0.4.9v0.5.0+1 more2024-01-08
CVE-2024-21645 [MEDIUM] CWE-74 CVE-2024-21645: pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerab pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party i
nvd
CVE-2025-54802P2CRITICALCVSS 9.8v>= 0.5.0b3.dev89, < 0.5.0b3.dev902025-08-05
CVE-2025-54802 [CRITICAL] CWE-22 CVE-2025-54802: pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev8 pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path const
nvd
CVE-2025-53890P2CRITICALCVSS 9.8fixed in 0.5.0b3.dev892025-07-15
CVE-2025-53890 [CRITICAL] CWE-94 CVE-2025-53890: pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vu pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in
nvd
CVE-2026-33511P2CRITICALCVSS 9.8≤ 0.4.20v>= 0.4.20, < 0.5.0b3.dev972026-03-24
CVE-2026-33511 [CRITICAL] CWE-639 CVE-2026-33511: pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before v pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them
nvd
CVE-2026-35463P2HIGHCVSS 8.8≤ 0.5.0b3.dev962026-04-07
CVE-2026-35463 [HIGH] CWE-78 CVE-2026-35463: pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, t pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config opti
nvd
CVE-2026-33509P2HIGHCVSS 8.8≥ 0.4, ≤ 0.4.20fixed in 0.5.0b3.dev1002026-03-24
CVE-2026-33509 [HIGH] CWE-269 CVE-2026-33509: pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before ve pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subpr
nvd
CVE-2025-7346P3HIGHCVSS 8.7≤ 0.5.0b3.dev772025-07-08
CVE-2025-7346 [HIGH] CWE-281 CVE-2025-7346: Any unauthenticated attacker can bypass the localhost restrictions posed by the application and uti Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages
nvd
CVE-2026-41133P3HIGHCVSS 8.8fixed in 2026-04-13≤ 0.5.0b3.dev972026-04-22
CVE-2026-41133 [HIGH] CWE-613 CVE-2026-41133: pyLoad is a free and open-source download manager written in Python. Versions up to and including 0. pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old
nvd
CVE-2023-47890P3HIGHCVSS 8.8v0.5.02024-01-08
CVE-2023-47890 [HIGH] CWE-22 CVE-2023-47890: pyLoad 0.5.0 is vulnerable to Unrestricted File Upload. pyLoad 0.5.0 is vulnerable to Unrestricted File Upload.
nvd
CVE-2025-54140P3HIGHCVSS 7.5v>= 0.5.0b3.dev89, < 0.5.0b3.dev902025-07-22
CVE-2025-54140 [HIGH] CWE-22 CVE-2025-54140: pyLoad is a free and open-source Download Manager written in pure Python. In version 0.5.0b3.dev89, pyLoad is a free and open-source Download Manager written in pure Python. In version 0.5.0b3.dev89, an authenticated path traversal vulnerability exists in the /json/upload endpoint of pyLoad. By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any loc
nvd
CVE-2026-35187P3HIGHCVSS 7.7≤ 0.5.0b3.dev962026-04-06
CVE-2026-35187 [HIGH] CWE-918 CVE-2026-35187: pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, t pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS r
nvd
CVE-2026-35464P3HIGHCVSS 7.5fixed in 2026-04-022026-04-07
CVE-2026-35464 [HIGH] CVE-2026-35464: pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 adde pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A
nvd
CVE-2025-55156P3HIGHCVSS 7.8fixed in 0.5.0b3.dev912025-08-11
CVE-2025-55156 [HIGH] CWE-89 CVE-2025-55156: pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3 pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.
nvd
CVE-2026-32808P3HIGHCVSS 8.1≤ 0.4.20fixed in 0.5.0b3.dev972026-03-20
CVE-2026-32808 [HIGH] CWE-22 CVE-2026-32808: pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 a pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives
nvd
CVE-2025-61773P3HIGHCVSS 8.1fixed in 0.5.0b3.dev912025-10-09
CVE-2025-61773 [HIGH] CWE-74 CVE-2025-61773: pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.de pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject
nvd
CVE-2024-22416P3HIGHCVSS 8.8fixed in 0.5.0b3.dev782024-01-18
CVE-2024-22416 [HIGH] CWE-352 CVE-2024-22416: pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows an pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF
nvd
CVE-2026-45348P3HIGHCVSS 8.7fixed in 0.5.0b3.dev1002026-05-28
CVE-2026-45348 [HIGH] CWE-79 CVE-2026-45348: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the pa pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $(div).html(html). No escaping runs between t
nvd
CVE-2024-32880P3HIGHCVSS 7.2≤ 0.5.02024-04-26
CVE-2024-32880 [HIGH] CWE-434 CVE-2024-32880: pyload is an open-source Download Manager written in pure Python. An authenticated user can change t pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.
nvd
Pyload vulnerabilities | cvebase