| CVE-2026-41133 |
high |
8.8 |
8.8 |
|
|
|
1mo ago |
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize reques… |
| CVE-2026-45348 |
high |
8.7 |
8.7 |
|
|
|
14d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates … |
| CVE-2026-42313 |
high |
8.3 |
8.3 |
|
|
|
17d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates … |
| CVE-2026-42312 |
medium |
6.8 |
6.8 |
|
|
|
17d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates … |
| CVE-2026-45306 |
medium |
6.5 |
6.5 |
|
|
|
14d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect… |
| CVE-2026-42315 |
medium |
6.5 |
6.5 |
|
|
|
17d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_… |
| CVE-2026-42314 |
medium |
6.5 |
6.5 |
|
|
|
17d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ … |
| CVE-2026-40071 |
medium |
5.4 |
5.4 |
|
|
|
2mo ago |
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions |
| CVE-2026-44226 |
medium |
5.3 |
5.3 |
|
|
|
17d ago |
PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI |
| CVE-2026-46561 |
medium |
5.0 |
5.0 |
|
|
|
7d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An… |
| CVE-2026-40594 |
medium |
4.8 |
4.8 |
|
|
|
1mo ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwa… |