Pyload vulnerabilities

CVE-2026-40071 [MEDIUM] CWE-863 CVE-2026-40071: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /js pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad

CVE-2026-35464 [HIGH] CWE-502 pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying securit

CVE-2026-35463 [HIGH] CWE-78 CVE-2026-35463: pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, t pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config opti

CVE-2026-35592 [HIGH] CWE-22 pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level st

CVE-2026-35586 [MEDIUM] CWE-863 CVE-2026-35586: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADM pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evalu

CVE-2026-35459 [CRITICAL] CWE-918 pyLoad has SSRF fix bypass via HTTP redirect pyLoad has SSRF fix bypass via HTTP redirect pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to

CVE-2026-35187 [HIGH] CWE-918 CVE-2026-35187: pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, t pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS r

CVE-2026-33992 [CRITICAL] CWE-918 CVE-2026-33992: pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On Digit

CVE-2026-33509 [HIGH] CWE-269 CVE-2026-33509: pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before ve pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subpr

CVE-2026-33511 [HIGH] CWE-639 CVE-2026-33511: pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before v pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to

CVE-2026-33314 [MEDIUM] CWE-287 CVE-2026-33314: pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downl

CVE-2026-32808 [HIGH] CWE-22 CVE-2026-32808: pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 a pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives

CVE-2026-29778 [MEDIUM] CWE-23 CVE-2026-29778: pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0 pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences.

CVE-2025-61773 [HIGH] CWE-74 CVE-2025-61773: pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.de pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject

CVE-2025-57751 [HIGH] CWE-400 CVE-2025-57751: pyLoad is the free and open-source Download Manager written in pure Python. The jk parameter is rece pyLoad is the free and open-source Download Manager written in pure Python. The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of jk parameter verification, the jk parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive. This vulnerab

CVE-2025-55156 [HIGH] CWE-89 CVE-2025-55156: pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3 pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.

CVE-2025-54802 [CRITICAL] CWE-22 CVE-2025-54802: pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev8 pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path const

CVE-2025-54140 [HIGH] CWE-22 CVE-2025-54140: pyLoad is a free and open-source Download Manager written in pure Python. In version 0.5.0b3.dev89, pyLoad is a free and open-source Download Manager written in pure Python. In version 0.5.0b3.dev89, an authenticated path traversal vulnerability exists in the /json/upload endpoint of pyLoad. By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any loc

CVE-2025-53890 [CRITICAL] CWE-94 CVE-2025-53890: pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vu pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in

CVE-2025-7346 [HIGH] CWE-281 CVE-2025-7346: Any unauthenticated attacker can bypass the localhost restrictions posed by the application and uti Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages