Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

pyload — Vulnerabilities & Security Advisories 37

Browse all 37 CVE security advisories affecting pyload. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Pyload is an open-source download manager and automation tool designed to facilitate the collection of files from various hosting services. Its architecture, which often involves executing user-supplied scripts and managing complex file interactions, has historically exposed it to significant security risks. Analysis of its thirty-seven recorded Common Vulnerabilities and Exposures reveals a pattern of critical flaws, primarily involving Remote Code Execution (RCE) and Cross-Site Scripting (XSS). These vulnerabilities frequently stem from insufficient input validation and improper handling of uploaded content, allowing attackers to escalate privileges or inject malicious payloads. Notable incidents highlight the severity of these issues, with several CVEs enabling full system compromise through simple configuration changes or file uploads. The software’s reliance on Python-based execution engines further amplifies the risk, as many exploits leverage deserialization flaws or command injection vectors. Consequently, users must apply strict security hardening and regular updates to mitigate these persistent threats inherent in its design.

Top products by pyload: pyload pyload/pyload
CVE IDTitleCVSSSeverityPublished
CVE-2026-41133 pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) — pyloadCWE-613 8.8 High2026-04-21
CVE-2026-40594 pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) — pyloadCWE-346 4.8 Medium2026-04-21
CVE-2026-40071 pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions — pyloadCWE-863 5.4 Medium2026-04-09
CVE-2026-35592 pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass — pyloadCWE-22 5.3 Medium2026-04-07
CVE-2026-35586 Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng — pyloadCWE-863 6.8 Medium2026-04-07
CVE-2026-35464 pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution — pyloadCWE-502 7.5 High2026-04-07
CVE-2026-35463 pyLoad has Improper Neutralization of Special Elements used in an OS Command — pyloadCWE-78 8.8 High2026-04-07
CVE-2026-35459 pyLoad has SSRF fix bypass via HTTP redirect — pyloadCWE-918 4.6AIMediumAI2026-04-06
CVE-2026-35187 pyLoad has SSRF in parse_urls API endpoint via unvalidated URL parameter — pyloadCWE-918 7.7 High2026-04-06
CVE-2026-33992 pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration — pyloadCWE-918 7.7 -2026-03-27
CVE-2026-33511 pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad — pyloadCWE-639 8.2 -2026-03-24
CVE-2026-33509 pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration — pyloadCWE-269 7.5 High2026-03-24
CVE-2026-33314 pyload-ng: Improper Authentication and Origin Validation Error — pyloadCWE-287 6.5 Medium2026-03-24
CVE-2026-32808 pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification — pyloadCWE-22 8.1 High2026-03-20
CVE-2026-29778 pyLoad: Arbitrary File Write via Path Traversal in edit_package() — pyloadCWE-23 7.1 High2026-03-07
CVE-2025-61773 pyLoad CNL and captcha handlers allow code Injection via unsanitized parameters — pyloadCWE-74 8.1 High2025-10-09
CVE-2025-57751 Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs — pyloadCWE-400 6.5AIMediumAI2025-08-21
CVE-2025-55156 PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter — pyloadCWE-89 9.1AICriticalAI2025-08-11
CVE-2025-54802 pyLoad CNL Blueprint is vulnerable to Path Traversal through `dlc_path` leading to Remote Code Execution (RCE) — pyloadCWE-22 9.8 Critical2025-08-05
CVE-2025-54140 pyLoad has Path Traversal Vulnerability in json/upload Endpoint that allows Arbitrary File Write — pyloadCWE-22 7.5 High2025-07-22
CVE-2025-53890 pyLoad vulnerable to remote code execution through js2py onCaptchaResult — pyloadCWE-94 9.8 Critical2025-07-14
CVE-2025-7346 pyLoad 安全漏洞 — PyloadCWE-281 6.2AIMediumAI2025-07-08
CVE-2024-1240 Open Redirection in pyload/pyload — pyload/pyloadCWE-601 6.1AIMediumAI2024-11-15
CVE-2024-47821 pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API — pyloadCWE-78 9.1 Critical2024-10-25
CVE-2024-32880 pyLoad allows upload to arbitrary folder lead to RCE — pyloadCWE-434 9.1 Critical2024-04-26
CVE-2024-24808 pyLoad open redirect vulnerability due to improper validation of the is_safe_url function — pyloadCWE-601 4.7 Medium2024-02-06
CVE-2024-22416 Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation — pyloadCWE-352 9.7 Critical2024-01-17
CVE-2024-21644 pyLoad unauthenticated flask configuration leakage — pyloadCWE-284 7.5 High2024-01-08
CVE-2024-21645 pyLoad Log Injection — pyloadCWE-74 5.3 Medium2024-01-08
CVE-2023-0509 Improper Certificate Validation in pyload/pyload — pyload/pyloadCWE-295 7.4 -2023-01-26

This page lists every published CVE security advisory associated with pyload. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.