Search for packages
| purl | pkg:pypi/pyload-ng@0.5.0b3.dev100 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1k5h-nhcv-cke9 | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100. |
CVE-2026-42312
GHSA-ccxc-x975-4hh9 PYSEC-2026-126 |
| VCID-h66k-vm3m-c3b6 | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") — which protect the proxy credentials — but it does not include ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), or ("proxy", "type"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100. |
CVE-2026-42313
GHSA-pg67-9wjv-mr85 PYSEC-2026-127 |
| VCID-jxej-fugb-3ydh | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100. |
CVE-2026-42314
GHSA-97r3-5w84-r4q8 PYSEC-2026-128 |
| VCID-p22h-1rtx-bkcy | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100. |
CVE-2026-42315
GHSA-838g-gr43-qqg9 PYSEC-2026-129 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-02T04:25:12.800018+00:00 | Pypa Importer | Fixing | VCID-p22h-1rtx-bkcy | https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-129.yaml | 38.6.0 |
| 2026-06-02T04:25:12.360813+00:00 | Pypa Importer | Fixing | VCID-jxej-fugb-3ydh | https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-128.yaml | 38.6.0 |
| 2026-06-02T04:25:11.923158+00:00 | Pypa Importer | Fixing | VCID-h66k-vm3m-c3b6 | https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-127.yaml | 38.6.0 |
| 2026-06-02T04:25:11.487875+00:00 | Pypa Importer | Fixing | VCID-1k5h-nhcv-cke9 | https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-126.yaml | 38.6.0 |