Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 25, 2026
pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad
CVE-2026-33511
Description
pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1- github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pwmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.