High severityNVD Advisory· Published Jul 8, 2025· Updated Apr 15, 2026
CVE-2025-7346
CVE-2025-7346
Description
Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyload-ngPyPI | <= 0.5.0b3.dev88 | — |
Patches
11 file changed · +1 −5
src/pyload/webui/app/blueprints/cnl_blueprint.py+1 −5 modified@@ -23,12 +23,8 @@ def local_check(func): @wraps(func) def wrapper(*args, **kwargs): remote_addr = flask.request.environ.get("REMOTE_ADDR", "0") - http_host = flask.request.environ.get("HTTP_HOST", "0") - if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in ( - "127.0.0.1:9666", - "[::1]:9666", - ): + if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost"): return func(*args, **kwargs) else: return "Forbidden", 403
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-x698-5hjm-w2m5ghsaADVISORY
- github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.pyghsaWEB
- github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.pyghsaWEB
- github.com/pyload/pyload/commit/f4e2d12416ba2dfac7b036d5c8d6dab5461b9840ghsaWEB
- github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5nvdWEB
News mentions
0No linked articles in our index yet.