{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","type":"pypi","namespace":"","name":"pyload-ng","version":"0.5.0b3.dev100","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70568?format=json","vulnerability_id":"VCID-5tq7-5rr2-hke4","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option (\"general\", \"ssl_verify\") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42312","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05647","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06616","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42312"},{"reference_url":"https://github.com/advisories/GHSA-4744-96p5-mp2j","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4744-96p5-mp2j"},{"reference_url":"https://github.com/advisories/GHSA-ppvx-rwh9-7rj7","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ppvx-rwh9-7rj7"},{"reference_url":"https://github.com/advisories/GHSA-r7mc-x6x7-cqxx","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r7mc-x6x7-cqxx"},{"reference_url":"https://github.com/advisories/GHSA-w48f-wwwf-f5fr","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w48f-wwwf-f5fr"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-126.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-126.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42312","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42312"},{"reference_url":"https://github.com/advisories/GHSA-ccxc-x975-4hh9","reference_id":"GHSA-ccxc-x975-4hh9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ccxc-x975-4hh9"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9","reference_id":"GHSA-ccxc-x975-4hh9","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-11T18:50:26Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}],"aliases":["CVE-2026-42312","GHSA-ccxc-x975-4hh9","PYSEC-2026-126"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5tq7-5rr2-hke4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218410?format=json","vulnerability_id":"VCID-5v6x-k9wj-zybu","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key \"_folder\", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42315","reference_id":"","reference_type":"","scores":[{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.19101","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21638","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42315"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-129.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-129.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42315","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42315"},{"reference_url":"https://github.com/advisories/GHSA-838g-gr43-qqg9","reference_id":"GHSA-838g-gr43-qqg9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-838g-gr43-qqg9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}],"aliases":["CVE-2026-42315","GHSA-838g-gr43-qqg9","PYSEC-2026-129"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5v6x-k9wj-zybu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70499?format=json","vulnerability_id":"VCID-8hzh-53hk-6yaz","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains (\"proxy\", \"username\") and (\"proxy\", \"password\") — which protect the proxy credentials — but it does not include (\"proxy\", \"enabled\"), (\"proxy\", \"host\"), (\"proxy\", \"port\"), or (\"proxy\", \"type\"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42313","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.04091","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05398","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42313"},{"reference_url":"https://github.com/advisories/GHSA-4744-96p5-mp2j","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4744-96p5-mp2j"},{"reference_url":"https://github.com/advisories/GHSA-ppvx-rwh9-7rj7","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ppvx-rwh9-7rj7"},{"reference_url":"https://github.com/advisories/GHSA-r7mc-x6x7-cqxx","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r7mc-x6x7-cqxx"},{"reference_url":"https://github.com/advisories/GHSA-w48f-wwwf-f5fr","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w48f-wwwf-f5fr"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-127.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-127.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42313","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42313"},{"reference_url":"https://github.com/advisories/GHSA-pg67-9wjv-mr85","reference_id":"GHSA-pg67-9wjv-mr85","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pg67-9wjv-mr85"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-pg67-9wjv-mr85","reference_id":"GHSA-pg67-9wjv-mr85","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T13:50:29Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-pg67-9wjv-mr85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}],"aliases":["CVE-2026-42313","GHSA-pg67-9wjv-mr85","PYSEC-2026-127"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8hzh-53hk-6yaz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70631?format=json","vulnerability_id":"VCID-fygw-7zvj-h3d5","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42314","reference_id":"","reference_type":"","scores":[{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18668","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.2123","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42314"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-128.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-128.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42314","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42314"},{"reference_url":"https://github.com/advisories/GHSA-97r3-5w84-r4q8","reference_id":"GHSA-97r3-5w84-r4q8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-97r3-5w84-r4q8"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8","reference_id":"GHSA-97r3-5w84-r4q8","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:33:35Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}],"aliases":["CVE-2026-42314","GHSA-97r3-5w84-r4q8","PYSEC-2026-128"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fygw-7zvj-h3d5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68162?format=json","vulnerability_id":"VCID-u77b-vpjm-53a6","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An authenticated attacker can supply a URL pointing to an attacker-controlled server that responds with a 302 redirect to an internal/private IP address, bypassing the is_global_host() check on the initial URL. This vulnerability is fixed in 0.5.0b3.dev100.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46561","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08567","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08527","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-46561"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46561","reference_id":"CVE-2026-46561","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46561"},{"reference_url":"https://github.com/advisories/GHSA-8rp3-xc6w-5qp5","reference_id":"GHSA-8rp3-xc6w-5qp5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8rp3-xc6w-5qp5"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-8rp3-xc6w-5qp5","reference_id":"GHSA-8rp3-xc6w-5qp5","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:53:45Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-8rp3-xc6w-5qp5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}],"aliases":["CVE-2026-46561","GHSA-8rp3-xc6w-5qp5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u77b-vpjm-53a6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67864?format=json","vulnerability_id":"VCID-uwgh-ppsz-jyhz","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in 0.5.0b3.dev100.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44226","reference_id":"","reference_type":"","scores":[{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.20838","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22376","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44226"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44226","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44226"},{"reference_url":"https://github.com/advisories/GHSA-c3gc-9pf2-84gg","reference_id":"GHSA-c3gc-9pf2-84gg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c3gc-9pf2-84gg"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg","reference_id":"GHSA-c3gc-9pf2-84gg","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:26:38Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}],"aliases":["CVE-2026-44226","GHSA-c3gc-9pf2-84gg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uwgh-ppsz-jyhz"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}