CVE-2025-55156
Description
pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
pyLoad < 0.5.0b3.dev91 has SQL injection in the /json/add_package API via the add_links parameter, allowing database manipulation.
## Vulnerability pyLoad before version 0.5.0b3.dev91 contains a SQL injection vulnerability in the /json/add_package API endpoint. The update_link_info function in file_database.py [4] constructs an SQL query by directly concatenating user-supplied data via the add_links parameter, allowing an attacker to inject arbitrary SQL commands [3].
Exploitation
An attacker can exploit this by sending a crafted POST request to /json/add_package with a malicious add_links value. The advisory [3] provides a proof-of-concept demonstrating injection such as ') or 1; Drop table users;--. The vulnerability chain involves multiple API and database calls, ultimately reaching the vulnerable update_link_info method.
Impact
Successful exploitation allows an attacker to execute arbitrary SQL statements, leading to modification or deletion of database records, data loss, and potential leakage of sensitive information [2][3].
Mitigation
The issue has been fixed in pyLoad version 0.5.0b3.dev91. Users are strongly advised to upgrade to this or a later version [3]. No workaround is provided.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyload-ngPyPI | < 0.5.0b3.dev91 | 0.5.0b3.dev91 |
Affected products
2Patches
1134edcdf6e2afix GHSA-pwh4-6r3m-j2rf security advisory
1 file changed · +5 −5
src/pyload/core/database/file_database.py+5 −5 modified@@ -266,11 +266,11 @@ def update_link_info(self, data): "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, ) - ids = [] - statuses = "','".join(x[3] for x in data) - self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')") - for r in self.c: - ids.append(int(r[0])) + urls = [x[3] for x in data] + placeholders = ','.join('?' * len(urls)) # Create a parameterized query with the correct number of placeholders + self.c.execute(f"SELECT id FROM links WHERE url IN ({placeholders})", urls) + + ids = [int(row[0]) for row in self.c.fetchall()] return ids @style.queue
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-pwh4-6r3m-j2rfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-55156ghsaADVISORY
- github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.pynvdWEB
- github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258fnvdWEB
- github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rfnvdWEB
News mentions
0No linked articles in our index yet.