Aggregates CVE and security vulnerability intelligence across all pyload-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk path handling, vendor risk cross-site scripting, and vendor risk ssrf and related problems; some flaws may lead to vendor impact file overwrite and vendor impact unexpected behavior.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-44226 | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in | [email protected] | 5.3 | 0.34% | 2026-05-11 | 2026-05-18 |
| CVE-2026-41133 | pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue an | [email protected] | 8.8 | 0.33% | 2026-04-22 | 2026-04-27 |
| CVE-2026-35464 | pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a | [email protected] | 7.5 | 0.53% | 2026-04-07 | 2026-04-23 |
| CVE-2026-33992 | pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys con | [email protected] | 9.3 | 0.40% | 2026-03-27 | 2026-03-31 |
| CVE-2026-33511 | pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97 | [email protected] | 8.8 | 0.42% | 2026-03-24 | 2026-03-26 |
| CVE-2026-33509 | pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execu | [email protected] | 7.5 | 0.53% | 2026-03-24 | 2026-03-26 |
| CVE-2026-32808 | pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing arbitrary file deletion outside of the extraction directory. During password verification, pyLoad derives an archive entry name from 7z listing output and treats it as a filesystem path without constraining it to the extraction directory. This issue ha | [email protected] | 8.1 | 0.33% | 2026-03-20 | 2026-03-26 |
| CVE-2024-1240 | An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other malicious activities. The issue is fixed in pyload-ng 0.5.0b3.dev79. | [email protected] | 6.1 | 0.32% | 2024-11-15 | 2024-11-19 |
| CVE-2024-47821 | pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file | [email protected] | 9.1 | 0.68% | 2024-10-25 | 2025-03-05 |
| CVE-2024-32880 | pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication. | [email protected] | 9.1 | 1.34% | 2024-04-26 | 2025-09-04 |
| CVE-2024-24808 | pyLoad is an open-source Download Manager written in pure Python. There is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad is validating URLs via the `get_redirect_url` function when redirecting users at login. This vulnerability has been patched with commit fe94451. | [email protected] | 4.7 | 0.55% | 2024-02-06 | 2024-11-21 |
| CVE-2023-47890 | pyLoad 0.5.0 is vulnerable to Unrestricted File Upload. | [email protected] | 8.8 | 1.09% | 2024-01-08 | 2025-06-03 |
| CVE-2024-21645 | pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77. | [email protected] | 5.3 | 24.51% | 2024-01-08 | 2024-11-21 |
| CVE-2024-21644 | pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77. | [email protected] | 7.5 | 42.17% | 2024-01-08 | 2024-11-21 |
| CVE-2023-0509 | Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44. | [email protected] | 7.4 | 0.53% | 2023-01-26 | 2024-11-21 |
| CVE-2023-0488 | Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42. | [email protected] | 5.4 | 0.82% | 2023-01-26 | 2024-11-21 |
| CVE-2023-0435 | Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41. | [email protected] | 9.8 | 0.72% | 2023-01-22 | 2024-11-21 |
| CVE-2023-0434 | Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40. | [email protected] | 7.5 | 0.82% | 2023-01-22 | 2024-11-21 |
| CVE-2023-0297 | Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31. | [email protected] | 9.8 | 96.99% | 2023-01-14 | 2024-11-21 |
| CVE-2023-0227 | Insufficient Session Expiration in GitHub repository pyload/pyload prior to 0.5.0b3.dev36. | [email protected] | 6.5 | 0.66% | 2023-01-12 | 2024-11-21 |