VIR Vulnerability Intelligence Relay

Package impact

python PyPI / pyload-ng

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2026-41133 high 8.8 8.8 1mo ago pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize reques… python
CVE-2026-42313 high 8.3 8.3 16d ago pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates … python
CVE-2026-45348 high 8.0 13d ago pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal python
CVE-2026-42312 medium 6.8 6.8 16d ago pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates … python
CVE-2026-42315 medium 6.5 6.5 16d ago pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_… python
CVE-2026-42314 medium 6.5 6.5 16d ago pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ … python
CVE-2026-46561 medium 5.5 6d ago pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API python
CVE-2026-45306 medium 5.5 13d ago pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad python
CVE-2026-40071 medium 5.4 5.4 2mo ago pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions python
CVE-2026-44226 medium 5.3 5.3 16d ago PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI python
CVE-2026-40594 medium 4.8 4.8 1mo ago pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwa… python
CVE-2026-35592 unknown 2mo ago pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for … python
CVE-2026-35586 unknown 2mo ago pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert a… python
CVE-2026-35464 unknown 2mo ago pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) python
CVE-2026-35463 unknown 2mo ago pyLoad: Improper Neutralization of Special Elements used in an OS Command python
CVE-2026-35459 unknown 2mo ago pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992) python
CVE-2026-35187 unknown 2mo ago pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter python
CVE-2026-33992 unknown 2mo ago pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration python
CVE-2026-33509 unknown 2mo ago pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration python
CVE-2026-33314 unknown 2mo ago pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external… python
CVE-2026-29778 unknown 3mo ago pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder … python
CVE-2025-61773 unknown 8mo ago pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters python
CVE-2025-57751 unknown 9mo ago Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs python
CVE-2025-55156 unknown 10mo ago PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter python
CVE-2025-54802 unknown 10mo ago pyLoad CNL Blueprint allows Path Traversal through `dlc_path` which leads to Remote Code Execution (RCE) python
CVE-2025-54140 unknown 10mo ago `pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write python
CVE-2025-53890 unknown 11mo ago pyLoad vulnerable to XSS through insecure CAPTCHA python
CVE-2025-7346 unknown 11mo ago pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages python
CVE-2024-1240 unknown 2y ago An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this… python
CVE-2024-47821 unknown 2y ago pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a execut… python
CVE-2024-39205 unknown 2y ago pyload-ng vulnerable to RCE with js2py sandbox escape python
CVE-2024-32880 unknown 2y ago pyLoad allows upload to arbitrary folder lead to RCE python
CVE-2024-24808 unknown 2y ago pyLoad open redirect vulnerability due to improper validation of the is_safe_url function python
CVE-2024-22416 unknown 2y ago pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`… python
CVE-2024-21644 unknown 2y ago pyload Unauthenticated Flask Configuration Leakage vulnerability python
CVE-2024-21645 unknown 2y ago pyload Log Injection vulnerability python
CVE-2023-47890 unknown 3y ago Download to arbitrary folder can lead to RCE python
CVE-2023-0509 unknown 3y ago Improper Certificate Validation in pyload-ng python
CVE-2023-0488 unknown 3y ago Cross-site Scripting in pyload-ng python
CVE-2023-0435 unknown 3y ago Excessive Attack Surface in pyload-ng python
CVE-2023-0434 unknown 3y ago Improper Input Validation in pyload-ng python
CVE-2023-0297 unknown 3y ago Code Injection in pyload-ng python
CVE-2023-0227 unknown 3y ago Pyload Insufficient Session Expiration vulnerability python
CVE-2023-0057 unknown 3y ago pyLoad vulnerable to Improper Restriction of Rendered UI Layers or Frames python
CVE-2023-0055 unknown 3y ago Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute python