PyPI package

pyload-ng

pkg:pypi/pyload-ng

Vulnerabilities (43)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-45348	hig	—	<= 0.5.0b3.dev99	—	May 14, 2026	## Summary The `packages.js` template at `src/pyload/webui/app/themes/modern/templates/js/packages.js:172` interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via `$(div).html(html)`. No escaping runs between the
CVE-2026-45306		—	<= 0.5.0b3.dev99	—	May 14, 2026	## Summary The fix for CVE-2026-33509 prevents setting `storage_folder` inside `PKGDIR` or `userdir`, but does NOT protect the Flask session directory (`/tmp/pyLoad/flask`). An authenticated attacker can set `storage_folder` to the session directory and download session files of
CVE-2026-44226	Med	5.3	< 0.5.0b3.dev100	0.5.0b3.dev100	May 11, 2026	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled
CVE-2026-42315	Hig	8.1	< 0.5.0b3.dev100	0.5.0b3.dev100	May 11, 2026	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to sp
CVE-2026-42314	Med	6.5	< 0.5.0b3.dev100	0.5.0b3.dev100	May 11, 2026	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the p
CVE-2026-42313	Hig	8.3	< 0.5.0b3.dev100	0.5.0b3.dev100	May 11, 2026	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPT
CVE-2026-42312	Med	6.8	< 0.5.0b3.dev100	0.5.0b3.dev100	May 11, 2026	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPT
CVE-2026-41133	Hig	8.8	<= 0.5.0b3.dev97	—	Apr 22, 2026	pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permiss
CVE-2026-40594	Med	4.8	< 0.5.0b3.dev98	0.5.0b3.dev98	Apr 21, 2026	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request origi
CVE-2026-40071	Med	5.4	<= 0.5.0b3	—	Apr 9, 2026	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privil
CVE-2026-35592	Med	5.3	< 0.5.0b3.dev97	0.5.0b3.dev97	Apr 7, 2026	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather
CVE-2026-35586	Med	6.8	< 0.5.0b3.dev97	0.5.0b3.dev97	Apr 7, 2026	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_
CVE-2026-35464	Hig	7.5	<= 0.5.0b3	—	Apr 7, 2026	pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path rest
CVE-2026-35463	Hig	8.8	<= 0.5.0b3.dev96	—	Apr 7, 2026	pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this pr
CVE-2026-35459	Cri	9.1	<= 0.5.0b3.dev96	—	Apr 6, 2026	pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial do
CVE-2026-35187	Hig	7.7	<= 0.5.0b3.dev96	—	Apr 6, 2026	pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP b
CVE-2026-33992	Med	6.5	<= 0.5.0b3.dev96	—	Mar 27, 2026	pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access inter
CVE-2026-33509		—	>= 0.4.0, <= 0.5.0b3.dev96	—	Mar 24, 2026	pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.s
CVE-2026-33314		—	< 0.5.0b3.dev97	0.5.0b3.dev97	Mar 24, 2026	pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'L
CVE-2026-29778		—	>= 0.5.0b3.dev13, <= 0.5.0b3.dev96	—	Mar 7, 2026	pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "

CVE-2026-45348higMay 14, 2026
affected <= 0.5.0b3.dev99
## Summary The `packages.js` template at `src/pyload/webui/app/themes/modern/templates/js/packages.js:172` interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via `$(div).html(html)`. No escaping runs between the
CVE-2026-45306May 14, 2026
affected <= 0.5.0b3.dev99
## Summary The fix for CVE-2026-33509 prevents setting `storage_folder` inside `PKGDIR` or `userdir`, but does NOT protect the Flask session directory (`/tmp/pyLoad/flask`). An authenticated attacker can set `storage_folder` to the session directory and download session files of
CVE-2026-44226MedMay 11, 2026
affected < 0.5.0b3.dev100fixed 0.5.0b3.dev100
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled
CVE-2026-42315HigMay 11, 2026
affected < 0.5.0b3.dev100fixed 0.5.0b3.dev100
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to sp
CVE-2026-42314MedMay 11, 2026
affected < 0.5.0b3.dev100fixed 0.5.0b3.dev100
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the p
CVE-2026-42313HigMay 11, 2026
affected < 0.5.0b3.dev100fixed 0.5.0b3.dev100
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPT
CVE-2026-42312MedMay 11, 2026
affected < 0.5.0b3.dev100fixed 0.5.0b3.dev100
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPT
CVE-2026-41133HigApr 22, 2026
affected <= 0.5.0b3.dev97
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permiss
CVE-2026-40594MedApr 21, 2026
affected < 0.5.0b3.dev98fixed 0.5.0b3.dev98
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request origi
CVE-2026-40071MedApr 9, 2026
affected <= 0.5.0b3
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privil
CVE-2026-35592MedApr 7, 2026
affected < 0.5.0b3.dev97fixed 0.5.0b3.dev97
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather
CVE-2026-35586MedApr 7, 2026
affected < 0.5.0b3.dev97fixed 0.5.0b3.dev97
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_
CVE-2026-35464HigApr 7, 2026
affected <= 0.5.0b3
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path rest
CVE-2026-35463HigApr 7, 2026
affected <= 0.5.0b3.dev96
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this pr
CVE-2026-35459CriApr 6, 2026
affected <= 0.5.0b3.dev96
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial do
CVE-2026-35187HigApr 6, 2026
affected <= 0.5.0b3.dev96
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP b
CVE-2026-33992MedMar 27, 2026
affected <= 0.5.0b3.dev96
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access inter
CVE-2026-33509Mar 24, 2026
affected >= 0.4.0, <= 0.5.0b3.dev96
pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.s
CVE-2026-33314Mar 24, 2026
affected < 0.5.0b3.dev97fixed 0.5.0b3.dev97
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'L
CVE-2026-29778Mar 7, 2026
affected >= 0.5.0b3.dev13, <= 0.5.0b3.dev96
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "

Page 1 of 3