CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2026/05/11 4:36 p.m.•4 views

CVE-2026-44226 pyLoad: Unauthenticated traceback disclosure via global exception handler in WebUI

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/ is reachable without authentication and renders attacker-controlled template names, an...

5.3CVSS5.8AI score0.00063EPSS

ATTACKERKB•added 2026/05/11 4:35 p.m.•8 views

CVE-2026-42315

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the setpackagedata API function call inside the data object with key "folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary...

8.1CVSS5.9AI score0.0006EPSS

Exploits1References2Affected Software1

Cvelist•added 2026/05/11 4:35 p.m.•27 views

CVE-2026-42315 pyLoad: Path Traversal via Package Folder Name in set_package_data

8.1CVSS0.0006EPSS

CVE•added 2026/05/11 4:34 p.m.•10 views

CVE-2026-42314

pyLoad/pyload-ng exposes a path traversal via the add_package workflow: folder sanitization replaces ../ with _ but the replacement is bypassable, leaving .. sequences that OS path resolution can interpret. Affected component is add_package in pyload/core/api/init .py; authenticated/ADD-permissio...

Cvelist•added 2026/05/11 4:34 p.m.•29 views

CVE-2026-42314 pyLoad: Path Traversal via Package Folder Name

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .. after replacement partial removal, leaving .. which can be exploited when the path is later resolve...

6.5CVSS0.00059EPSS

Vulnrichment•added 2026/05/11 4:34 p.m.•6 views

CVE-2026-42314 pyLoad: Path Traversal via Package Folder Name

ATTACKERKB•added 2026/05/11 4:34 p.m.•6 views

CVE-2026-42314

Exploits1References2Affected Software1

EUVD•added 2026/05/11 4:32 p.m.•5 views

EUVD-2026-29120

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general",...

6.8CVSS5.8AI score0.0002EPSS

ATTACKERKB•added 2026/05/11 4:32 p.m.•6 views

CVE-2026-42312

8.8CVSS5.8AI score0.00135EPSS

Exploits5References2Affected Software1

CVE•added 2026/05/11 4:32 p.m.•6 views

CVE-2026-42312

pyload-ng contains a vulnerability (CVE-2026-42312) where a non-admin user with SETTINGS permission can disable TLS peer/hostname verification by setting general.ssl_verify off. The root cause is that the option is not in the ADMIN_ONLY_CORE_OPTIONS allowlist, so set_config_value() writes are all...

6.8CVSS5.8AI score0.0002EPSS

Cvelist•added 2026/05/11 4:32 p.m.•29 views

CVE-2026-42312 pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification

6.8CVSS0.0002EPSS

Vulnrichment•added 2026/05/11 4:32 p.m.•3 views

CVE-2026-42312 pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification

6.8CVSS5.8AI score0.0002EPSS

Vulnrichment•added 2026/05/11 4:30 p.m.•4 views

CVE-2026-42313 pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy

8.3CVSS5.8AI score0.00016EPSS

CVE•added 2026/05/11 4:30 p.m.•4 views

CVE-2026-42313

Summary of CVE-2026-42313 / pyload-ng: A non-admin user with SETTINGS permission can enable a proxy and point pyload at any attacker-controlled host, causing all outbound traffic (downloads, captcha fetch, update checks, plugin HTTP calls) to be routed through that attacker. The vulnerability ste...

8.3CVSS5.8AI score0.00016EPSS

Cvelist•added 2026/05/11 4:30 p.m.•29 views

CVE-2026-42313 pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy

8.3CVSS0.00016EPSS

ATTACKERKB•added 2026/05/11 4:30 p.m.•3 views

CVE-2026-42313

8.8CVSS5.8AI score0.00135EPSS

Exploits5References2Affected Software1

CNNVD•added 2026/05/11 12:0 a.m.•5 views

pyLoad 安全漏洞

pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev100 contained security vulnerabilities. These vulnerabilities stemmed from the setconfigvalue API method, which allowed options related to proxies to be included in the list. This could allow any...

8.3CVSS5.8AI score0.00016EPSS

CNNVD•added 2026/05/11 12:0 a.m.•4 views

pyLoad 路径遍历漏洞

pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev100 contained a path traversal vulnerability. This vulnerability stemmed from the uncleaned folder names in the setpackagedata API function, which could allow users with Perms.MODIFY permissions to...

8.1CVSS5.8AI score0.0006EPSS

CNNVD•added 2026/05/11 12:0 a.m.•4 views

pyLoad 路径遍历漏洞

pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev100 contained a path traversal vulnerability. This vulnerability stemmed from insufficient cleanup of package folder names, which could lead to path traversal attacks...