Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 25, 2026

pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad

CVE-2026-33511

Description

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.

Affected products

Pyload/Pyloadv5
Range: >= 0.4.20, < 0.5.0b3.dev97

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pwmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000