| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-1k5h-nhcv-cke9 |
| vulnerability_id |
VCID-1k5h-nhcv-cke9 |
| summary |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-42312, GHSA-ccxc-x975-4hh9, PYSEC-2026-126
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1k5h-nhcv-cke9 |
|
| 1 |
| url |
VCID-c4n8-pnbr-buce |
| vulnerability_id |
VCID-c4n8-pnbr-buce |
| summary |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies — either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-40594, GHSA-mp82-fmj6-f22v, PYSEC-2026-125
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c4n8-pnbr-buce |
|
| 2 |
| url |
VCID-h66k-vm3m-c3b6 |
| vulnerability_id |
VCID-h66k-vm3m-c3b6 |
| summary |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") — which protect the proxy credentials — but it does not include ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), or ("proxy", "type"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-42313, GHSA-pg67-9wjv-mr85, PYSEC-2026-127
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h66k-vm3m-c3b6 |
|
| 3 |
| url |
VCID-hsc6-6qgc-q3eg |
| vulnerability_id |
VCID-hsc6-6qgc-q3eg |
| summary |
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-33314, GHSA-q485-cg9q-xq2r, PYSEC-2026-122
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hsc6-6qgc-q3eg |
|
| 4 |
| url |
VCID-jxej-fugb-3ydh |
| vulnerability_id |
VCID-jxej-fugb-3ydh |
| summary |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-42314, GHSA-97r3-5w84-r4q8, PYSEC-2026-128
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jxej-fugb-3ydh |
|
| 5 |
| url |
VCID-nbnk-6g72-3ybk |
| vulnerability_id |
VCID-nbnk-6g72-3ybk |
| summary |
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-22416, GHSA-pgpj-v85q-h5fm, PYSEC-2024-17
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nbnk-6g72-3ybk |
|
| 6 |
| url |
VCID-ng6u-saxg-dbf9 |
| vulnerability_id |
VCID-ng6u-saxg-dbf9 |
| summary |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-35592, GHSA-mvwx-582f-56r7, PYSEC-2026-124
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ng6u-saxg-dbf9 |
|
| 7 |
| url |
VCID-p22h-1rtx-bkcy |
| vulnerability_id |
VCID-p22h-1rtx-bkcy |
| summary |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-42315, GHSA-838g-gr43-qqg9, PYSEC-2026-129
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p22h-1rtx-bkcy |
|
| 8 |
| url |
VCID-x15r-v69w-yuaj |
| vulnerability_id |
VCID-x15r-v69w-yuaj |
| summary |
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-35586, GHSA-ppvx-rwh9-7rj7, PYSEC-2026-123
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x15r-v69w-yuaj |
|
|
|---|