pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)

Summary The setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSIONCOOKIESECURE on every request...

PT-2026-33285

Name of the Vulnerable Software and Affected Versions pyLoad affected versions not specified Description A race condition exists in the set session cookie secure before request handler within the src/pyload/webui/app/ init .py file. The application reads the X-Forwarded-Proto header from HTTP...

pyLoad's Session Not Invalidated After Permission Changes

Summary The pyload application does not properly invalidate or modify sessions upon changes made to a user's permissions. Details Whenever an administrator changes the permissions a specific account has, they do not expect that account still being able to access data that their new permissions do...

GHSA-FJ52-5G4H-GMQ8 pyLoad's Session Not Invalidated After Permission Changes

Summary The pyload application does not properly invalidate or modify sessions upon changes made to a user's permissions. Details Whenever an administrator changes the permissions a specific account has, they do not expect that account still being able to access data that their new permissions do...

Server-Side Request Forgery (SSRF)

pyLoad is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to missing validation of redirect targets during URL fetching, which allows an attacker to supply a crafted URL that redirects to internal resources and bypass SSRF protections...

CVE-2026-40071

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

CVE-2026-40071

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

CVE-2026-40071 pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

CVE-2026-40071 pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

EUVD-2026-20998

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

CVE-2026-40071

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

CVE-2026-40071

CVE-2026-40071 affects the pyLoad download manager (Python). The weakness lies in the WebUI JSON endpoints /json/package_order, /json/link_order, and /json/abort_link, which enforce weaker permissions than the core API methods they invoke. This permits authenticated, low-privileged users to perfo...

pyLoad 安全漏洞

pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev97 contained security vulnerabilities. These vulnerabilities stemmed from weak permissions for certain WebUI JSON endpoints, allowing low-privilege authenticated users to perform MODIFY operations...

CVE-2026-35592

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the safeextractall function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix for its path traversal check, which performs character-level string comparison rather than path-level...

GHSA-RFGH-63MG-8PWM pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions

Summary Several WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. Confirmed mismatches: - ADD user can reorder packages/files...

Incorrect Authorization

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Incorrect Authorization in the WebUI JSON endpoints due to weaker permission checks than those enforced by the core API. An attacker can perform unauthorize...

EUVD-2026-19738

pyload-ng: Incomplete Tar Path Traversal Fix in UnTar.safeextractall via os.path.commonprefix Bypass...

Directory Traversal

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Directory Traversal in the safeextractall function. An attacker can write files outside the intended extraction directory by crafting a malicious tar archiv...

EUVD-2026-19736

pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng...

GHSA-PPVX-RWH9-7RJ7 pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng

Summary The ADMINONLYCOREOPTIONS authorization set in setconfigvalue uses incorrect option names sslcert and sslkey, while the actual configuration option names are sslcertfile and sslkeyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with...