Moderate severityNVD Advisory· Published Jan 8, 2024· Updated Nov 14, 2024

pyLoad Log Injection

CVE-2024-21645

Description

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in pyload allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pyload-ngPyPI	< 0.5.0b3.dev77	0.5.0b3.dev77

Affected products

Pyload/Pyloadv5
Range: < 0.5.0b3.dev77

Patches

4159a1191ec4

fix GHSA-ghmw-rwh8-6qmr security advisory

https://github.com/pyload/pyloadGammaC0deJan 6, 2024via ghsa

commit

2 files changed · +6 −4

src/pyload/webui/app/blueprints/api_blueprint.py+3 −2 modified

@@ -86,12 +86,13 @@ def login():
     api = flask.current_app.config["PYLOAD_API"]
     user_info = api.check_auth(user, password)
 
+    sanitized_user = user.replace("\n", "\\n").replace("\r", "\\r")
     if not user_info:
-        log.error(f"Login failed for user '{user}'")
+        log.error(f"Login failed for user '{sanitized_user}'")
         return jsonify(False)
 
     s = set_session(user_info)
-    log.info(f"User '{user}' successfully logged in")
+    log.info(f"User '{sanitized_user}' successfully logged in")
     flask.flash("Logged in successfully")
 
     return jsonify(s)

src/pyload/webui/app/blueprints/app_blueprint.py+3 −2 modified

@@ -54,12 +54,13 @@ def login():
         password = flask.request.form["password"]
         user_info = api.check_auth(user, password)
 
+        sanitized_user = user.replace("\n", "\\n").replace("\r", "\\r")
         if not user_info:
-            log.error(f"Login failed for user '{user}'")
+            log.error(f"Login failed for user '{sanitized_user}'")
             return render_template("login.html", next=next, errors=True)
 
         set_session(user_info)
-        log.info(f"User '{user}' successfully logged in")
+        log.info(f"User '{sanitized_user}' successfully logged in")
         flask.flash("Logged in successfully")
 
     if is_authenticated():

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-ghmw-rwh8-6qmrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-21645ghsaADVISORY
github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381dghsax_refsource_MISCWEB
github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmrghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.057
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000