518 matches found
CVE-2026-41133
The CVE concerns pyLoad (Python download manager). Affected: versions up to 0.5.0b3.dev97. Root cause: the session cache stores user role/permissions at login and continues to authorize requests using these cached values even after an admin changes the user’s role/permissions in the database. Thi...
PYSEC-2026-125
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted prox...
CVE-2026-40594
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted prox...
PYSEC-2026-125
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted prox...
CVE-2026-40594 pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted prox...
CVE-2026-40594 pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted prox...
CVE-2026-40594
CVE-2026-40594 affects pyLoad: the set_session_cookie_secure before_request in pyload/webui/app/init .py reads X-Forwarded-Proto without origin validation and mutates the global Flask SESSION_COOKIE_SECURE on every request. With Cheroot’s multi-threaded server (request_queue_size=512), this creat...
pyLoad 安全漏洞
pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev98 contained security vulnerabilities. These vulnerabilities stemmed from the lack of verification of the X-Forwarded-Proto header’s source, leading to race conditions in a multi-threaded...
PT-2026-34223
Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev98 Description An issue exists where role and permission are cached in the session during login. The system continues to authorize requests using these cached values even after an administrator modifies the...
GHSA-MP82-FMJ6-F22V pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
Summary The setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSIONCOOKIESECURE on every request...
Origin Validation Error
Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Origin Validation Error via the setsessioncookiesecure function. An attacker can cause session cookies to be issued without the Secure flag or disrupt user...
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
Summary The setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSIONCOOKIESECURE on every request...
PT-2026-33285
Name of the Vulnerable Software and Affected Versions pyLoad affected versions not specified Description A race condition exists in the set session cookie secure before request handler within the src/pyload/webui/app/ init .py file. The application reads the X-Forwarded-Proto header from HTTP...
GHSA-FJ52-5G4H-GMQ8 pyLoad's Session Not Invalidated After Permission Changes
Summary The pyload application does not properly invalidate or modify sessions upon changes made to a user's permissions. Details Whenever an administrator changes the permissions a specific account has, they do not expect that account still being able to access data that their new permissions do...
pyLoad's Session Not Invalidated After Permission Changes
Summary The pyload application does not properly invalidate or modify sessions upon changes made to a user's permissions. Details Whenever an administrator changes the permissions a specific account has, they do not expect that account still being able to access data that their new permissions do...
Server-Side Request Forgery (SSRF)
pyLoad is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to missing validation of redirect targets during URL fetching, which allows an attacker to supply a crafted URL that redirects to internal resources and bypass SSRF protections...
CVE-2026-40071
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...
CVE-2026-40071
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...
CVE-2026-40071 pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...
CVE-2026-40071 pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...