Pyload-ng Project

Pyload-ng

15 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2026-35592

Exploit
  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 16:11:38
  • Zuletzt bearbeitet 16.04.2026 21:11:52

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-...

6.8

CVE-2026-35586

Exploit
  • EPSS 0.02%
  • Veröffentlicht 07.04.2026 16:09:11
  • Zuletzt bearbeitet 16.04.2026 18:54:32

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option n...

9.1

CVE-2026-35459

Exploit
  • EPSS 0.03%
  • Veröffentlicht 06.04.2026 19:37:00
  • Zuletzt bearbeitet 20.04.2026 17:01:15

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks ...

7.7

CVE-2026-35187

Exploit
  • EPSS 0.03%
  • Veröffentlicht 06.04.2026 19:33:06
  • Zuletzt bearbeitet 20.04.2026 17:05:58

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation,...

9.8

CVE-2026-33511

Exploit
  • EPSS 0.12%
  • Veröffentlicht 24.03.2026 18:56:08
  • Zuletzt bearbeitet 26.03.2026 20:29:49

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofin...

8.8

CVE-2026-33509

Exploit
  • EPSS 0.09%
  • Veröffentlicht 24.03.2026 18:55:37
  • Zuletzt bearbeitet 26.03.2026 20:47:02

pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option withou...

6.5

CVE-2026-33314

Exploit
  • EPSS 0.01%
  • Veröffentlicht 24.03.2026 18:52:28
  • Zuletzt bearbeitet 26.03.2026 12:01:09

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This ...

8.1

CVE-2026-32808

Exploit
  • EPSS 0.09%
  • Veröffentlicht 20.03.2026 02:16:34
  • Zuletzt bearbeitet 26.03.2026 18:36:48

pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives (encrypted files with non-encrypted headers), causing ar...

6.5

CVE-2026-29778

Exploit
  • EPSS 0.02%
  • Veröffentlicht 07.03.2026 15:28:36
  • Zuletzt bearbeitet 11.03.2026 22:09:15

pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a singl...

9.8

CVE-2025-54802

Exploit
  • EPSS 1.21%
  • Veröffentlicht 05.08.2025 00:06:48
  • Zuletzt bearbeitet 09.10.2025 17:32:39

pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to...