pyLoad 安全漏洞

pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev100 contained security vulnerabilities. These vulnerabilities stemmed from the WebUI returning complete Python trace details when exceptions were not handled properly. This could allow...

pyLoad 信任管理问题漏洞

pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev100 contained a trust management vulnerability. This vulnerability stemmed from the fact that the allowlist did not include the general.sslverify option in the setconfigvalue API method. As a resul...

CVE-2026-45348

creationtimestamp| type| source ---|---|--- 2026-05-09 23:21:22+00:00| published-proof-of-concept| https://github.com/pyload/pyload/security/advisories/GHSA-fcjq-435v-jx94 2026-05-28 19:01:08+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mmwpgw3uve2g 2026-05-28...

GHSA-C3GC-9PF2-84GG PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI

Summary pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/ is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception for example by requesting a...

PT-2026-38289

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev100 Description The WebUI returns full Python traceback details to clients when unhandled exceptions occur. This happens because the endpoint "/web/" is accessible without authentication and renders template...

PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data

Summary No sanitization of package folder name allows writing files anywhere outside the intended download directory. Affected Component - src/pyload/core/api/init.py - Function: setpackagedata Details When passing a folder name in the setpackagedata API function call inside the data object with...

Directory Traversal

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Directory Traversal via the setpackagedata function. An attacker can overwrite or create files in arbitrary directories by supplying crafted values to the...

GHSA-838G-GR43-QQG9 PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data

Summary No sanitization of package folder name allows writing files anywhere outside the intended download directory. Affected Component - src/pyload/core/api/init.py - Function: setpackagedata Details When passing a folder name in the setpackagedata API function call inside the data object with...

GHSA-97R3-5W84-R4Q8 PyLoad Vulnerable to Path Traversal via Package Folder Name

Insufficient sanitization of package folder names allows writing files outside the intended download directory. Affected Component - src/pyload/core/api/init.py - Function: addpackage Description Package folder names are sanitized using insufficient string replacement: python folder =...

PT-2026-37264

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev100 Description Lack of sanitization in the set package data function allows a user with Perms.MODIFY permissions to specify arbitrary directories as download locations for a package. This occurs when passin...

Server-side Request Forgery (SSRF)

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the setconfigvalue function. An attacker can intercept all outbound HTTP traffic, steal credentials, and inject...

GHSA-CCXC-X975-4HH9 pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Summary The setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general", "sslverify" is not on that allowlist. Any authenticated user with the non-admin SETTINGS...

CVE-2026-44226

creationtimestamp| type| source ---|---|--- 2026-04-27 20:15:32+00:00| published-proof-of-concept| https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg...

CVE-2026-42314

creationtimestamp| type| source ---|---|--- 2026-04-26 21:37:37+00:00| published-proof-of-concept| https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8...

CVE-2026-42312

creationtimestamp| type| source ---|---|--- 2026-04-24 06:09:45+00:00| published-proof-of-concept| https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9...

CVE-2026-41133

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...

pyLoad 代码问题漏洞

pyLoad is an open-source download manager written in Python. Versions of pyLoad 0.5.0b3.dev97 and earlier have code vulnerabilities. These vulnerabilities stem from caching role and permission values during login, and continuing to use these cached values to authorize requests after the...

EUVD-2026-24574

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...

CVE-2026-41133 pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...

CVE-2026-41133

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...