| CVE-2026-41133 |
high |
8.8 |
8.8 |
|
|
|
2mo ago |
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize reques… |
| CVE-2026-45348 |
high |
8.7 |
8.7 |
|
|
|
20d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates … |
| CVE-2026-42313 |
high |
8.3 |
8.3 |
|
|
|
23d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates … |
| CVE-2026-42312 |
medium |
6.8 |
6.8 |
|
|
|
23d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates … |
| CVE-2026-45306 |
medium |
6.5 |
6.5 |
|
|
|
20d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect… |
| CVE-2026-42315 |
medium |
6.5 |
6.5 |
|
|
|
23d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_… |
| CVE-2026-42314 |
medium |
6.5 |
6.5 |
|
|
|
23d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ … |
| CVE-2026-40071 |
medium |
5.4 |
5.4 |
|
|
|
2mo ago |
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions |
| CVE-2026-44226 |
medium |
5.3 |
5.3 |
|
|
|
23d ago |
PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI |
| CVE-2026-46561 |
medium |
5.0 |
5.0 |
|
|
|
13d ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An… |
| CVE-2026-40594 |
medium |
4.8 |
4.8 |
|
|
|
1mo ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwa… |
| CVE-2024-39205 |
unknown |
— |
1.0 |
|
|
|
2y ago |
pyload-ng vulnerable to RCE with js2py sandbox escape |
| CVE-2023-0297 |
unknown |
— |
1.0 |
|
|
|
3y ago |
Code Injection in pyload-ng |
| CVE-2026-35592 |
unknown |
— |
— |
|
|
|
2mo ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for … |
| CVE-2026-35586 |
unknown |
— |
— |
|
|
|
2mo ago |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert a… |
| CVE-2026-35464 |
unknown |
— |
— |
|
|
|
2mo ago |
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) |
| CVE-2026-35463 |
unknown |
— |
— |
|
|
|
2mo ago |
pyLoad: Improper Neutralization of Special Elements used in an OS Command |
| CVE-2026-35459 |
unknown |
— |
— |
|
|
|
2mo ago |
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992) |
| CVE-2026-35187 |
unknown |
— |
— |
|
|
|
2mo ago |
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter |
| CVE-2026-33992 |
unknown |
— |
— |
|
|
|
2mo ago |
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration |
| CVE-2026-33509 |
unknown |
— |
— |
|
|
|
3mo ago |
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration |
| CVE-2026-33314 |
unknown |
— |
— |
|
|
|
3mo ago |
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external… |
| CVE-2026-29778 |
unknown |
— |
— |
|
|
|
3mo ago |
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder … |
| CVE-2025-61773 |
unknown |
— |
— |
|
|
|
8mo ago |
pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters |
| CVE-2025-57751 |
unknown |
— |
— |
|
|
|
10mo ago |
Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs |
| CVE-2025-55156 |
unknown |
— |
— |
|
|
|
10mo ago |
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter |
| CVE-2025-54802 |
unknown |
— |
— |
|
|
|
10mo ago |
pyLoad CNL Blueprint allows Path Traversal through `dlc_path` which leads to Remote Code Execution (RCE) |
| CVE-2025-54140 |
unknown |
— |
— |
|
|
|
11mo ago |
`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write |
| CVE-2025-53890 |
unknown |
— |
— |
|
|
|
11mo ago |
pyLoad vulnerable to XSS through insecure CAPTCHA |
| CVE-2025-7346 |
unknown |
— |
— |
|
|
|
11mo ago |
pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages |
| CVE-2024-1240 |
unknown |
— |
— |
|
|
|
2y ago |
An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this… |
| CVE-2024-47821 |
unknown |
— |
— |
|
|
|
2y ago |
pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a execut… |
| CVE-2024-32880 |
unknown |
— |
— |
|
|
|
2y ago |
pyLoad allows upload to arbitrary folder lead to RCE |
| CVE-2024-24808 |
unknown |
— |
— |
|
|
|
2y ago |
pyLoad open redirect vulnerability due to improper validation of the is_safe_url function |
| CVE-2024-22416 |
unknown |
— |
— |
|
|
|
2y ago |
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`… |
| CVE-2024-21644 |
unknown |
— |
— |
|
|
|
2y ago |
pyload Unauthenticated Flask Configuration Leakage vulnerability |
| CVE-2024-21645 |
unknown |
— |
— |
|
|
|
2y ago |
pyload Log Injection vulnerability |
| CVE-2023-47890 |
unknown |
— |
— |
|
|
|
3y ago |
Download to arbitrary folder can lead to RCE |
| CVE-2023-0488 |
unknown |
— |
— |
|
|
|
3y ago |
Cross-site Scripting in pyload-ng |
| CVE-2023-0509 |
unknown |
— |
— |
|
|
|
3y ago |
Improper Certificate Validation in pyload-ng |
| CVE-2023-0435 |
unknown |
— |
— |
|
|
|
3y ago |
Excessive Attack Surface in pyload-ng |
| CVE-2023-0434 |
unknown |
— |
— |
|
|
|
3y ago |
Improper Input Validation in pyload-ng |
| CVE-2023-0227 |
unknown |
— |
— |
|
|
|
3y ago |
Pyload Insufficient Session Expiration vulnerability |
| CVE-2023-0057 |
unknown |
— |
— |
|
|
|
4y ago |
pyLoad vulnerable to Improper Restriction of Rendered UI Layers or Frames |
| CVE-2023-0055 |
unknown |
— |
— |
|
|
|
4y ago |
Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
