Pyload

Pyload

35 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2026-40071

  • EPSS 0.03%
  • Veröffentlicht 09.04.2026 18:17:03
  • Zuletzt bearbeitet 13.04.2026 15:02:27

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This a...

6.5

CVE-2026-35592

Exploit
  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 16:11:38
  • Zuletzt bearbeitet 16.04.2026 21:11:52

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-...

6.8

CVE-2026-35586

Exploit
  • EPSS 0.02%
  • Veröffentlicht 07.04.2026 16:09:11
  • Zuletzt bearbeitet 16.04.2026 18:54:32

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option n...

7.5

CVE-2026-35464

  • EPSS 0.08%
  • Veröffentlicht 07.04.2026 14:38:02
  • Zuletzt bearbeitet 08.04.2026 21:27:15

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and...

8.8

CVE-2026-35463

  • EPSS 0.26%
  • Veröffentlicht 07.04.2026 14:32:44
  • Zuletzt bearbeitet 08.04.2026 21:27:15

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin...

9.1

CVE-2026-35459

Exploit
  • EPSS 0.03%
  • Veröffentlicht 06.04.2026 19:37:00
  • Zuletzt bearbeitet 20.04.2026 17:01:15

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks ...

7.7

CVE-2026-35187

Exploit
  • EPSS 0.03%
  • Veröffentlicht 06.04.2026 19:33:06
  • Zuletzt bearbeitet 20.04.2026 17:05:58

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation,...

6.5

CVE-2026-33992

Exploit
  • EPSS 0.06%
  • Veröffentlicht 27.03.2026 22:12:39
  • Zuletzt bearbeitet 31.03.2026 14:49:16

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker ca...

9.8

CVE-2026-33511

Exploit
  • EPSS 0.12%
  • Veröffentlicht 24.03.2026 18:56:08
  • Zuletzt bearbeitet 26.03.2026 20:29:49

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofin...

8.8

CVE-2026-33509

Exploit
  • EPSS 0.09%
  • Veröffentlicht 24.03.2026 18:55:37
  • Zuletzt bearbeitet 26.03.2026 20:47:02

pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option withou...