CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/05/28 5:12 p.m.•8 views

EUVD-2026-32957

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to...

8.7CVSS5.8AI score0.00199EPSS

Exploits0References1

OSV•added 2026/05/11 6:16 p.m.•5 views

PYSEC-2026-128

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .. after replacement partial removal, leaving .. which can be exploited when the path is later resolve...

PyPA•added 2026/05/11 6:16 p.m.•13 views

PYSEC-2026-127

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The allowlist contains...

8.3CVSS5.8AI score0.00396EPSS

ATTACKERKB•added 2026/05/11 4:36 p.m.•2 views

CVE-2026-44226

5.3CVSS5.8AI score0.00336EPSS

Exploits1References2Affected Software1

Vulnrichment•added 2026/05/11 4:34 p.m.•6 views

CVE-2026-42314 pyLoad: Path Traversal via Package Folder Name

CVE•added 2026/05/11 4:34 p.m.•11 views

CVE-2026-42314

pyLoad/pyload-ng exposes a path traversal via the add_package workflow: folder sanitization replaces ../ with _ but the replacement is bypassable, leaving .. sequences that OS path resolution can interpret. Affected component is add_package in pyload/core/api/init .py; authenticated/ADD-permissio...

CNNVD•added 2026/05/11 12:0 a.m.•5 views

pyLoad 路径遍历漏洞

pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev100 contained a path traversal vulnerability. This vulnerability stemmed from insufficient cleanup of package folder names, which could lead to path traversal attacks...

CNNVD•added 2026/04/22 12:0 a.m.•6 views

pyLoad 代码问题漏洞

pyLoad is an open-source download manager written in Python. Versions of pyLoad 0.5.0b3.dev97 and earlier have code vulnerabilities. These vulnerabilities stem from caching role and permission values during login, and continuing to use these cached values to authorize requests after the...

8.8CVSS7.3AI score0.00325EPSS

OSV•added 2026/04/21 6:16 p.m.•7 views

PYSEC-2026-125

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted prox...

4.8CVSS5.8AI score0.00171EPSS

NVD•added 2026/04/09 6:17 p.m.•3 views

CVE-2026-40071

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

5.4CVSS0.00219EPSS

CVE•added 2026/04/09 5:36 p.m.•5 views

CVE-2026-40071

CVE-2026-40071 affects the pyLoad download manager (Python). The weakness lies in the WebUI JSON endpoints /json/package_order, /json/link_order, and /json/abort_link, which enforce weaker permissions than the core API methods they invoke. This permits authenticated, low-privileged users to perfo...

5.4CVSS6AI score0.00219EPSS

ATTACKERKB•added 2026/04/09 5:36 p.m.•1 views

CVE-2026-40071

5.4CVSS6AI score0.00219EPSS

Exploits1References2Affected Software1

Vulnrichment•added 2026/04/09 5:36 p.m.•2 views

CVE-2026-40071 pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions

5.4CVSS5.9AI score0.00219EPSS

OSV•added 2026/04/07 5:16 p.m.•4 views

PYSEC-2026-124

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the safeextractall function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix for its path traversal check, which performs character-level string comparison rather than path-level...

6.5CVSS5.8AI score0.00255EPSS

OSV•added 2026/04/07 5:16 p.m.•6 views

PYSEC-2026-123

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMINONLYCOREOPTIONS authorization set in setconfigvalue uses incorrect option names sslcert and sslkey, while the actual configuration option names are sslcertfile and sslkeyfile. This name mismatch...

6.8CVSS5.8AI score0.00142EPSS

CVE•added 2026/04/07 4:11 p.m.•5 views

CVE-2026-35592

Technical details (affected versions, root cause, exploitability, and mitigations) are not publicly provided in the supplied documents; monitor for updates.

6.5CVSS5.9AI score0.00255EPSS

Vulnrichment•added 2026/04/07 4:11 p.m.•3 views

CVE-2026-35592 pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass

5.3CVSS5.9AI score0.00255EPSS