Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
20 vulnerabilities found for pyload-ng by pyload-ng_project
CVE-2026-33511 (GCVE-0-2026-33511)
Vulnerability from nvd – Published: 2026-03-24 18:56 – Updated: 2026-03-25 14:28
VLAI?
Title
pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad
Summary
pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33511",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:59:02.731679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T14:28:19.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.20, \u003c 0.5.0b3.dev97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad\u0027s ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:56:08.886Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw"
}
],
"source": {
"advisory": "GHSA-g5j2-gxqh-x7pw",
"discovery": "UNKNOWN"
},
"title": "pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33511",
"datePublished": "2026-03-24T18:56:08.886Z",
"dateReserved": "2026-03-20T16:59:08.890Z",
"dateUpdated": "2026-03-25T14:28:19.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33509 (GCVE-0-2026-33509)
Vulnerability from nvd – Published: 2026-03-24 18:55 – Updated: 2026-03-26 19:52
VLAI?
Title
pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration
Summary
pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.
Severity ?
7.5 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33509",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T19:33:56.387911Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T19:52:12.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.0, \u003c 0.5.0b3.dev97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager\u0027s reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder \u2014 all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:55:37.033Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"
}
],
"source": {
"advisory": "GHSA-r7mc-x6x7-cqxx",
"discovery": "UNKNOWN"
},
"title": "pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33509",
"datePublished": "2026-03-24T18:55:37.033Z",
"dateReserved": "2026-03-20T16:59:08.889Z",
"dateUpdated": "2026-03-26T19:52:12.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33314 (GCVE-0-2026-33314)
Vulnerability from nvd – Published: 2026-03-24 18:52 – Updated: 2026-03-26 19:52
VLAI?
Title
pyload-ng: Improper Authentication and Origin Validation Error
Summary
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97.
Severity ?
6.5 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33314",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T19:33:35.949774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T19:52:13.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.0b3.dev97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click\u0027N\u0027Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:52:28.834Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r"
}
],
"source": {
"advisory": "GHSA-q485-cg9q-xq2r",
"discovery": "UNKNOWN"
},
"title": "pyload-ng: Improper Authentication and Origin Validation Error"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33314",
"datePublished": "2026-03-24T18:52:28.834Z",
"dateReserved": "2026-03-18T21:23:36.676Z",
"dateUpdated": "2026-03-26T19:52:13.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32808 (GCVE-0-2026-32808)
Vulnerability from nvd – Published: 2026-03-20 01:45 – Updated: 2026-03-25 14:29
VLAI?
Title
pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification
Summary
pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.
Severity ?
8.1 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32808",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T14:28:11.035693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T14:29:07.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.9-6262-g2fa0b11d3, \u003c 0.5.0b3.dev97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T01:45:57.970Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3"
}
],
"source": {
"advisory": "GHSA-7g4m-8hx2-4qh3",
"discovery": "UNKNOWN"
},
"title": "pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32808",
"datePublished": "2026-03-20T01:45:07.446Z",
"dateReserved": "2026-03-16T17:35:36.695Z",
"dateUpdated": "2026-03-25T14:29:07.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29778 (GCVE-0-2026-29778)
Vulnerability from nvd – Published: 2026-03-07 15:28 – Updated: 2026-03-09 18:26
VLAI?
Title
pyLoad: Arbitrary File Write via Path Traversal in edit_package()
Summary
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.
Severity ?
7.1 (High)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29778",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T17:52:31.612889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T18:26:46.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.5.0b3.dev13, \u003c 0.5.0b3.dev97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of \"../\", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T15:28:36.919Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw"
}
],
"source": {
"advisory": "GHSA-6px9-j4qr-xfjw",
"discovery": "UNKNOWN"
},
"title": "pyLoad: Arbitrary File Write via Path Traversal in edit_package()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29778",
"datePublished": "2026-03-07T15:28:36.919Z",
"dateReserved": "2026-03-04T16:26:02.898Z",
"dateUpdated": "2026-03-09T18:26:46.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54802 (GCVE-0-2025-54802)
Vulnerability from nvd – Published: 2025-08-05 00:06 – Updated: 2025-08-05 14:29
VLAI?
Title
pyLoad CNL Blueprint is vulnerable to Path Traversal through `dlc_path` leading to Remote Code Execution (RCE)
Summary
pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90.
Severity ?
9.8 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54802",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T14:29:40.016514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T14:29:43.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.5.0b3.dev89, \u003c 0.5.0b3.dev90"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T00:06:48.834Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264"
},
{
"name": "https://github.com/pyload/pyload/pull/4596",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyload/pyload/pull/4596"
},
{
"name": "https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4"
}
],
"source": {
"advisory": "GHSA-48rp-jc79-2264",
"discovery": "UNKNOWN"
},
"title": "pyLoad CNL Blueprint is vulnerable to Path Traversal through `dlc_path` leading to Remote Code Execution (RCE)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54802",
"datePublished": "2025-08-05T00:06:48.834Z",
"dateReserved": "2025-07-29T16:50:28.395Z",
"dateUpdated": "2025-08-05T14:29:43.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22416 (GCVE-0-2024-22416)
Vulnerability from nvd – Published: 2024-01-17 23:48 – Updated: 2025-06-17 21:19
VLAI?
Title
Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
Summary
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.
Severity ?
9.7 (Critical)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.922Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm"
},
{
"name": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e"
},
{
"name": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-18T01:21:47.300988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:19:19.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.0b3.dev78"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-17T23:48:31.422Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm"
},
{
"name": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e"
},
{
"name": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc"
}
],
"source": {
"advisory": "GHSA-pgpj-v85q-h5fm",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-22416",
"datePublished": "2024-01-17T23:48:31.422Z",
"dateReserved": "2024-01-10T15:09:55.552Z",
"dateUpdated": "2025-06-17T21:19:19.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0509 (GCVE-0-2023-0509)
Vulnerability from nvd – Published: 2023-01-26 00:00 – Updated: 2025-03-31 16:45
VLAI?
Title
Improper Certificate Validation in pyload/pyload
Summary
Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.
Severity ?
7.4 (High)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Affected:
unspecified , < 0.5.0b3.dev44
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:49.018Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/a370e0c2-a41c-4871-ad91-bc6f31a8e839"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0509",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T16:45:22.563280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T16:45:30.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload/pyload",
"vendor": "pyload",
"versions": [
{
"lessThan": "0.5.0b3.dev44",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-26T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/a370e0c2-a41c-4871-ad91-bc6f31a8e839"
},
{
"url": "https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb"
}
],
"source": {
"advisory": "a370e0c2-a41c-4871-ad91-bc6f31a8e839",
"discovery": "EXTERNAL"
},
"title": "Improper Certificate Validation in pyload/pyload"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0509",
"datePublished": "2023-01-26T00:00:00.000Z",
"dateReserved": "2023-01-26T00:00:00.000Z",
"dateUpdated": "2025-03-31T16:45:30.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0488 (GCVE-0-2023-0488)
Vulnerability from nvd – Published: 2023-01-26 00:00 – Updated: 2025-03-31 16:47
VLAI?
Title
Cross-site Scripting (XSS) - Stored in pyload/pyload
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.
Severity ?
9.6 (Critical)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Affected:
unspecified , < 0.5.0b3.dev42
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:10:56.446Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/4311d8d7-682c-4f2a-b92c-3f9f1a36255a"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pyload/pyload/commit/46d75a3087f3237d06530d55998938e2e2bda6bd"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0488",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T16:46:52.053308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T16:47:00.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload/pyload",
"vendor": "pyload",
"versions": [
{
"lessThan": "0.5.0b3.dev42",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-26T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/4311d8d7-682c-4f2a-b92c-3f9f1a36255a"
},
{
"url": "https://github.com/pyload/pyload/commit/46d75a3087f3237d06530d55998938e2e2bda6bd"
}
],
"source": {
"advisory": "4311d8d7-682c-4f2a-b92c-3f9f1a36255a",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in pyload/pyload"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0488",
"datePublished": "2023-01-26T00:00:00.000Z",
"dateReserved": "2023-01-25T00:00:00.000Z",
"dateUpdated": "2025-03-31T16:47:00.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0057 (GCVE-0-2023-0057)
Vulnerability from nvd – Published: 2023-01-05 00:00 – Updated: 2025-04-09 15:33
VLAI?
Title
Improper Restriction of Rendered UI Layers or Frames in pyload/pyload
Summary
Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.
Severity ?
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Affected:
unspecified , < 0.5.0b3.dev33
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:54:32.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/12b64f91-d048-490c-94b0-37514b6d694d"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pyload/pyload/commit/bd2a31b7de54570b919aa1581d486e6ee18c0f64"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0057",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T14:23:29.067149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T15:33:56.198Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload/pyload",
"vendor": "pyload",
"versions": [
{
"lessThan": "0.5.0b3.dev33",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-05T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/12b64f91-d048-490c-94b0-37514b6d694d"
},
{
"url": "https://github.com/pyload/pyload/commit/bd2a31b7de54570b919aa1581d486e6ee18c0f64"
}
],
"source": {
"advisory": "12b64f91-d048-490c-94b0-37514b6d694d",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of Rendered UI Layers or Frames in pyload/pyload"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0057",
"datePublished": "2023-01-05T00:00:00.000Z",
"dateReserved": "2023-01-04T00:00:00.000Z",
"dateUpdated": "2025-04-09T15:33:56.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-33511 (GCVE-0-2026-33511)
Vulnerability from cvelistv5 – Published: 2026-03-24 18:56 – Updated: 2026-03-25 14:28
VLAI?
Title
pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad
Summary
pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33511",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:59:02.731679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T14:28:19.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.20, \u003c 0.5.0b3.dev97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad\u0027s ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:56:08.886Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw"
}
],
"source": {
"advisory": "GHSA-g5j2-gxqh-x7pw",
"discovery": "UNKNOWN"
},
"title": "pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33511",
"datePublished": "2026-03-24T18:56:08.886Z",
"dateReserved": "2026-03-20T16:59:08.890Z",
"dateUpdated": "2026-03-25T14:28:19.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33509 (GCVE-0-2026-33509)
Vulnerability from cvelistv5 – Published: 2026-03-24 18:55 – Updated: 2026-03-26 19:52
VLAI?
Title
pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration
Summary
pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.
Severity ?
7.5 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33509",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T19:33:56.387911Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T19:52:12.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.0, \u003c 0.5.0b3.dev97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager\u0027s reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder \u2014 all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:55:37.033Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"
}
],
"source": {
"advisory": "GHSA-r7mc-x6x7-cqxx",
"discovery": "UNKNOWN"
},
"title": "pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33509",
"datePublished": "2026-03-24T18:55:37.033Z",
"dateReserved": "2026-03-20T16:59:08.889Z",
"dateUpdated": "2026-03-26T19:52:12.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33314 (GCVE-0-2026-33314)
Vulnerability from cvelistv5 – Published: 2026-03-24 18:52 – Updated: 2026-03-26 19:52
VLAI?
Title
pyload-ng: Improper Authentication and Origin Validation Error
Summary
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97.
Severity ?
6.5 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33314",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T19:33:35.949774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T19:52:13.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.0b3.dev97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click\u0027N\u0027Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:52:28.834Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r"
}
],
"source": {
"advisory": "GHSA-q485-cg9q-xq2r",
"discovery": "UNKNOWN"
},
"title": "pyload-ng: Improper Authentication and Origin Validation Error"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33314",
"datePublished": "2026-03-24T18:52:28.834Z",
"dateReserved": "2026-03-18T21:23:36.676Z",
"dateUpdated": "2026-03-26T19:52:13.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32808 (GCVE-0-2026-32808)
Vulnerability from cvelistv5 – Published: 2026-03-20 01:45 – Updated: 2026-03-25 14:29
VLAI?
Title
pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification
Summary
pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97.
Severity ?
8.1 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32808",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T14:28:11.035693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T14:29:07.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.9-6262-g2fa0b11d3, \u003c 0.5.0b3.dev97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue has been fixed in version 0.5.0b3.dev97."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T01:45:57.970Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-7g4m-8hx2-4qh3"
}
],
"source": {
"advisory": "GHSA-7g4m-8hx2-4qh3",
"discovery": "UNKNOWN"
},
"title": "pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32808",
"datePublished": "2026-03-20T01:45:07.446Z",
"dateReserved": "2026-03-16T17:35:36.695Z",
"dateUpdated": "2026-03-25T14:29:07.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29778 (GCVE-0-2026-29778)
Vulnerability from cvelistv5 – Published: 2026-03-07 15:28 – Updated: 2026-03-09 18:26
VLAI?
Title
pyLoad: Arbitrary File Write via Path Traversal in edit_package()
Summary
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.
Severity ?
7.1 (High)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29778",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T17:52:31.612889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T18:26:46.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.5.0b3.dev13, \u003c 0.5.0b3.dev97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of \"../\", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T15:28:36.919Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw"
}
],
"source": {
"advisory": "GHSA-6px9-j4qr-xfjw",
"discovery": "UNKNOWN"
},
"title": "pyLoad: Arbitrary File Write via Path Traversal in edit_package()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29778",
"datePublished": "2026-03-07T15:28:36.919Z",
"dateReserved": "2026-03-04T16:26:02.898Z",
"dateUpdated": "2026-03-09T18:26:46.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54802 (GCVE-0-2025-54802)
Vulnerability from cvelistv5 – Published: 2025-08-05 00:06 – Updated: 2025-08-05 14:29
VLAI?
Title
pyLoad CNL Blueprint is vulnerable to Path Traversal through `dlc_path` leading to Remote Code Execution (RCE)
Summary
pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90.
Severity ?
9.8 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54802",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T14:29:40.016514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T14:29:43.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.5.0b3.dev89, \u003c 0.5.0b3.dev90"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T00:06:48.834Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264"
},
{
"name": "https://github.com/pyload/pyload/pull/4596",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyload/pyload/pull/4596"
},
{
"name": "https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4"
}
],
"source": {
"advisory": "GHSA-48rp-jc79-2264",
"discovery": "UNKNOWN"
},
"title": "pyLoad CNL Blueprint is vulnerable to Path Traversal through `dlc_path` leading to Remote Code Execution (RCE)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54802",
"datePublished": "2025-08-05T00:06:48.834Z",
"dateReserved": "2025-07-29T16:50:28.395Z",
"dateUpdated": "2025-08-05T14:29:43.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22416 (GCVE-0-2024-22416)
Vulnerability from cvelistv5 – Published: 2024-01-17 23:48 – Updated: 2025-06-17 21:19
VLAI?
Title
Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
Summary
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.
Severity ?
9.7 (Critical)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.922Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm"
},
{
"name": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e"
},
{
"name": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-18T01:21:47.300988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:19:19.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.0b3.dev78"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-17T23:48:31.422Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm"
},
{
"name": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e"
},
{
"name": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc"
}
],
"source": {
"advisory": "GHSA-pgpj-v85q-h5fm",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-22416",
"datePublished": "2024-01-17T23:48:31.422Z",
"dateReserved": "2024-01-10T15:09:55.552Z",
"dateUpdated": "2025-06-17T21:19:19.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0509 (GCVE-0-2023-0509)
Vulnerability from cvelistv5 – Published: 2023-01-26 00:00 – Updated: 2025-03-31 16:45
VLAI?
Title
Improper Certificate Validation in pyload/pyload
Summary
Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.
Severity ?
7.4 (High)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Affected:
unspecified , < 0.5.0b3.dev44
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:49.018Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/a370e0c2-a41c-4871-ad91-bc6f31a8e839"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0509",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T16:45:22.563280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T16:45:30.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload/pyload",
"vendor": "pyload",
"versions": [
{
"lessThan": "0.5.0b3.dev44",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-26T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/a370e0c2-a41c-4871-ad91-bc6f31a8e839"
},
{
"url": "https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb"
}
],
"source": {
"advisory": "a370e0c2-a41c-4871-ad91-bc6f31a8e839",
"discovery": "EXTERNAL"
},
"title": "Improper Certificate Validation in pyload/pyload"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0509",
"datePublished": "2023-01-26T00:00:00.000Z",
"dateReserved": "2023-01-26T00:00:00.000Z",
"dateUpdated": "2025-03-31T16:45:30.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0488 (GCVE-0-2023-0488)
Vulnerability from cvelistv5 – Published: 2023-01-26 00:00 – Updated: 2025-03-31 16:47
VLAI?
Title
Cross-site Scripting (XSS) - Stored in pyload/pyload
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.
Severity ?
9.6 (Critical)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Affected:
unspecified , < 0.5.0b3.dev42
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:10:56.446Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/4311d8d7-682c-4f2a-b92c-3f9f1a36255a"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pyload/pyload/commit/46d75a3087f3237d06530d55998938e2e2bda6bd"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0488",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T16:46:52.053308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T16:47:00.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload/pyload",
"vendor": "pyload",
"versions": [
{
"lessThan": "0.5.0b3.dev42",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-26T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/4311d8d7-682c-4f2a-b92c-3f9f1a36255a"
},
{
"url": "https://github.com/pyload/pyload/commit/46d75a3087f3237d06530d55998938e2e2bda6bd"
}
],
"source": {
"advisory": "4311d8d7-682c-4f2a-b92c-3f9f1a36255a",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in pyload/pyload"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0488",
"datePublished": "2023-01-26T00:00:00.000Z",
"dateReserved": "2023-01-25T00:00:00.000Z",
"dateUpdated": "2025-03-31T16:47:00.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0057 (GCVE-0-2023-0057)
Vulnerability from cvelistv5 – Published: 2023-01-05 00:00 – Updated: 2025-04-09 15:33
VLAI?
Title
Improper Restriction of Rendered UI Layers or Frames in pyload/pyload
Summary
Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.
Severity ?
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyload | pyload/pyload |
Affected:
unspecified , < 0.5.0b3.dev33
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:54:32.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/12b64f91-d048-490c-94b0-37514b6d694d"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pyload/pyload/commit/bd2a31b7de54570b919aa1581d486e6ee18c0f64"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0057",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T14:23:29.067149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T15:33:56.198Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload/pyload",
"vendor": "pyload",
"versions": [
{
"lessThan": "0.5.0b3.dev33",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-05T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/12b64f91-d048-490c-94b0-37514b6d694d"
},
{
"url": "https://github.com/pyload/pyload/commit/bd2a31b7de54570b919aa1581d486e6ee18c0f64"
}
],
"source": {
"advisory": "12b64f91-d048-490c-94b0-37514b6d694d",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of Rendered UI Layers or Frames in pyload/pyload"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0057",
"datePublished": "2023-01-05T00:00:00.000Z",
"dateReserved": "2023-01-04T00:00:00.000Z",
"dateUpdated": "2025-04-09T15:33:56.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}