VYPR

Pyload Ng

by Pyload

Source repositories

CVEs (8)

  • CVE-2026-42315HigMay 11, 2026
    risk 0.53cvss 8.1epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to…

  • CVE-2026-35459CriApr 6, 2026
    risk 0.52cvss 9.1epss 0.00

    pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial…

  • CVE-2026-35463HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.01

    pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this…

  • CVE-2026-42312MedMay 11, 2026
    risk 0.44cvss 6.8epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist…

  • CVE-2026-35586MedApr 7, 2026
    risk 0.44cvss 6.8epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and…

  • CVE-2026-35187HigApr 6, 2026
    risk 0.43cvss 7.7epss 0.00

    pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP…

  • CVE-2026-35592MedApr 7, 2026
    risk 0.34cvss 5.3epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison…

  • CVE-2026-40594MedApr 21, 2026
    risk 0.31cvss 4.8epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request…