VYPR
Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 25, 2026

pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad

CVE-2026-33511

Description

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Pyload/Pyloadllm-fuzzy2 versions
    >=0.4.20, <0.5.0b3.dev97+ 1 more
    • (no CPE)range: >=0.4.20, <0.5.0b3.dev97
    • (no CPE)range: >= 0.4.20, < 0.5.0b3.dev97

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.