Pyload

Pyload

45 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2026-45306

  • EPSS 0.23%
  • Veröffentlicht 28.05.2026 17:12:59
  • Zuletzt bearbeitet 29.05.2026 15:39:34

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). A...

8.7

CVE-2026-45348

  • EPSS 0.2%
  • Veröffentlicht 28.05.2026 17:12:20
  • Zuletzt bearbeitet 29.05.2026 15:39:34

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside si...

5

CVE-2026-46561

  • EPSS 0.18%
  • Veröffentlicht 28.05.2026 17:11:28
  • Zuletzt bearbeitet 29.05.2026 15:39:34

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An authenticated attacker can supply a URL pointing t...

5.3

CVE-2026-44226

Exploit
  • EPSS 0.34%
  • Veröffentlicht 11.05.2026 18:16:37
  • Zuletzt bearbeitet 18.05.2026 18:25:05

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication a...

6.5

CVE-2026-42315

Exploit
  • EPSS 0.4%
  • Veröffentlicht 11.05.2026 18:16:35
  • Zuletzt bearbeitet 15.05.2026 14:29:53

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing ...

6.5

CVE-2026-42314

Exploit
  • EPSS 0.34%
  • Veröffentlicht 11.05.2026 18:16:35
  • Zuletzt bearbeitet 15.05.2026 13:43:30

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. whi...

8.3

CVE-2026-42313

Exploit
  • EPSS 0.4%
  • Veröffentlicht 11.05.2026 18:16:34
  • Zuletzt bearbeitet 15.05.2026 14:04:39

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained...

6.8

CVE-2026-42312

Exploit
  • EPSS 0.17%
  • Veröffentlicht 11.05.2026 18:16:34
  • Zuletzt bearbeitet 15.05.2026 14:09:19

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained...

8.8

CVE-2026-41133

Exploit
  • EPSS 0.33%
  • Veröffentlicht 21.04.2026 23:41:06
  • Zuletzt bearbeitet 27.04.2026 19:28:39

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin c...

4.8

CVE-2026-40594

Exploit
  • EPSS 0.17%
  • Veröffentlicht 21.04.2026 17:14:03
  • Zuletzt bearbeitet 27.04.2026 19:43:46

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without val...