VulnerableCode Package Details - pkg:pypi/pyload-ng@0.5.0b3.dev98

Search for packages

Vulnerability	Summary	Fixed by
VCID-1k5h-nhcv-cke9 Aliases: CVE-2026-42312 GHSA-ccxc-x975-4hh9 PYSEC-2026-126	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.	0.5.0b3.dev100 Affected by 0 other vulnerabilities.
VCID-h66k-vm3m-c3b6 Aliases: CVE-2026-42313 GHSA-pg67-9wjv-mr85 PYSEC-2026-127	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") — which protect the proxy credentials — but it does not include ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), or ("proxy", "type"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.	0.5.0b3.dev100 Affected by 0 other vulnerabilities.
VCID-jxej-fugb-3ydh Aliases: CVE-2026-42314 GHSA-97r3-5w84-r4q8 PYSEC-2026-128	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100.	0.5.0b3.dev100 Affected by 0 other vulnerabilities.
VCID-p22h-1rtx-bkcy Aliases: CVE-2026-42315 GHSA-838g-gr43-qqg9 PYSEC-2026-129	pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.	0.5.0b3.dev100 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1k5h-nhcv-cke9
Aliases:
CVE-2026-42312
GHSA-ccxc-x975-4hh9
PYSEC-2026-126

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.

0.5.0b3.dev100
Affected by 0 other vulnerabilities.

VCID-h66k-vm3m-c3b6
Aliases:
CVE-2026-42313
GHSA-pg67-9wjv-mr85
PYSEC-2026-127

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") — which protect the proxy credentials — but it does not include ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), or ("proxy", "type"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.

0.5.0b3.dev100
Affected by 0 other vulnerabilities.

VCID-jxej-fugb-3ydh
Aliases:
CVE-2026-42314
GHSA-97r3-5w84-r4q8
PYSEC-2026-128

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100.

0.5.0b3.dev100
Affected by 0 other vulnerabilities.

VCID-p22h-1rtx-bkcy
Aliases:
CVE-2026-42315
GHSA-838g-gr43-qqg9
PYSEC-2026-129

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.

0.5.0b3.dev100
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:25:12.792201+00:00	Pypa Importer	Affected by	VCID-p22h-1rtx-bkcy	https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-129.yaml	38.6.0
2026-06-02T04:25:12.353111+00:00	Pypa Importer	Affected by	VCID-jxej-fugb-3ydh	https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-128.yaml	38.6.0
2026-06-02T04:25:11.915369+00:00	Pypa Importer	Affected by	VCID-h66k-vm3m-c3b6	https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-127.yaml	38.6.0
2026-06-02T04:25:11.478830+00:00	Pypa Importer	Affected by	VCID-1k5h-nhcv-cke9	https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-126.yaml	38.6.0