High severityNVD Advisory· Published Jan 8, 2024· Updated Jun 17, 2025
pyLoad unauthenticated flask configuration leakage
CVE-2024-21644
Description
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRET_KEY variable. This issue has been patched in version 0.5.0b3.dev77.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyload-ngPyPI | < 0.5.0b3.dev77 | 0.5.0b3.dev77 |
Affected products
1Patches
1bb22063a875ffix GHSA-mqpq-2p68-46fv security advisory
4 files changed · +27 −27
src/pyload/webui/app/blueprints/app_blueprint.py+1 −1 modified@@ -452,7 +452,7 @@ def info(): "os": " ".join((os.name, sys.platform) + extra), "version": api.get_server_version(), "folder": PKGDIR, - "config": api.get_userdir(), + "config_folder": api.get_userdir(), "download": conf["general"]["storage_folder"]["value"], "freespace": format.size(api.free_space()), "webif": conf["webui"]["port"]["value"],
src/pyload/webui/app/templates/info.html+24 −24 modified@@ -4,11 +4,11 @@ <script type="text/javascript" src="{{theme_template('js/info.js')}}"></script> {% endblock %} -{% block title %}{{ _("Information") }} - {{ super() }} {% endblock %} -{% block subtitle %}{{ _("Information") }}{% endblock %} +{% block title %}{{_("Information")}} - {{super()}} {% endblock %} +{% block subtitle %}{{_("Information")}}{% endblock %} {% block content %} -<h3>{{ _("Support") }}</h3> +<h3>{{_("Support")}}</h3> <ul> <li style="font-weight:bold;"><a href="https://pyload.net" target="_blank">Official Website</a></li> <li style="font-weight:bold;"> @@ -27,51 +27,51 @@ <h3>{{ _("Support") }}</h3> </li> </ul> -<h3>{{ _("System") }}</h3> +<h3>{{_("System")}}</h3> <table class="system"> <tr> - <td>{{ _("Python version:") }}</td> - <td>{{ python }}</td> + <td>{{_("Python version:")}}</td> + <td>{{python}}</td> </tr> <tr> - <td>{{ _("OS platform:") }}</td> - <td>{{ os }}</td> + <td>{{_("OS platform:")}}</td> + <td>{{os}}</td> </tr> </table> -<h3>{{ _("Storage") }}</h3> +<h3>{{_("Storage")}}</h3> <table class="system"> <tr> - <td>{{ _("Download folder:") }}</td> - <td>{{ download }}</td> + <td>{{_("Download folder:")}}</td> + <td>{{download}}</td> </tr> <tr> - <td>{{ _("Available space:") }}</td> - <td>{{ freespace }}</td> + <td>{{_("Available space:")}}</td> + <td>{{freespace}}</td> </tr> </table> -<h3>{{ _("pyLoad") }}</h3> +<h3>{{_("pyLoad")}}</h3> <table class="system"> <tr> - <td>{{ _("Version:") }}</td> - <td>{{ version }}</td> + <td>{{_("Version:")}}</td> + <td>{{version}}</td> </tr> <tr> - <td>{{ _("Installation folder:") }}</td> - <td>{{ folder }}</td> + <td>{{_("Installation folder:")}}</td> + <td>{{folder}}</td> </tr> <tr> - <td>{{ _("Config folder:") }}</td> - <td>{{ config }}</td> + <td>{{_("Config folder:")}}</td> + <td>{{config_folder}}</td> </tr> <tr> - <td>{{ _("Language:") }}</td> - <td>{{ language }}</td> + <td>{{_("Language:")}}</td> + <td>{{language}}</td> </tr> <tr> - <td>{{ _("WebUI port:") }}</td> - <td>{{ webif }}</td> + <td>{{_("WebUI port:")}}</td> + <td>{{webif}}</td> </tr> </table> {% endblock %}
src/pyload/webui/app/themes/modern/templates/info.html+1 −1 modified@@ -57,7 +57,7 @@ <h3>{{ _("pyLoad") }}</h3> <dt class="col-xs-12 col-sm-3"><b>{{_('Installation Folder:')}}</b></dt> <dd class="col-xs-12 col-sm-9">{{folder}}</dd> <dt class="col-xs-12 col-sm-3"><b>{{_('Config Folder:')}}</b></dt> - <dd class="col-xs-12 col-sm-9">{{config}}</dd> + <dd class="col-xs-12 col-sm-9">{{config_folder}}</dd> <dt class="col-xs-12 col-sm-3"><b>{{_('Language:')}}</b></dt> <dd class="col-xs-12 col-sm-9">{{language}}</dd> </dl>
src/pyload/webui/app/themes/pyplex/templates/info.html+1 −1 modified@@ -57,7 +57,7 @@ <h3>{{ _("pyLoad") }}</h3> <dt class="col-xs-12 col-sm-3"><b>{{_('Installation Folder:')}}</b></dt> <dd class="col-xs-12 col-sm-9">{{folder}}</dd> <dt class="col-xs-12 col-sm-3"><b>{{_('Config Folder:')}}</b></dt> - <dd class="col-xs-12 col-sm-9">{{config}}</dd> + <dd class="col-xs-12 col-sm-9">{{config_folder}}</dd> <dt class="col-xs-12 col-sm-3"><b>{{_('Language:')}}</b></dt> <dd class="col-xs-12 col-sm-9">{{language}}</dd> </dl>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-mqpq-2p68-46fvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21644ghsaADVISORY
- github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40ghsax_refsource_MISCWEB
- github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.