Pyload-ng Project

Pyload-ng

21 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2026-42315

Exploit
  • EPSS 0.4%
  • Veröffentlicht 11.05.2026 18:16:35
  • Zuletzt bearbeitet 15.05.2026 14:29:53

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing ...

6.5

CVE-2026-42314

Exploit
  • EPSS 0.34%
  • Veröffentlicht 11.05.2026 18:16:35
  • Zuletzt bearbeitet 15.05.2026 13:43:30

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. whi...

8.3

CVE-2026-42313

Exploit
  • EPSS 0.4%
  • Veröffentlicht 11.05.2026 18:16:34
  • Zuletzt bearbeitet 15.05.2026 14:04:39

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained...

6.8

CVE-2026-42312

Exploit
  • EPSS 0.17%
  • Veröffentlicht 11.05.2026 18:16:34
  • Zuletzt bearbeitet 15.05.2026 14:09:19

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained...

4.8

CVE-2026-40594

Exploit
  • EPSS 0.17%
  • Veröffentlicht 21.04.2026 17:14:03
  • Zuletzt bearbeitet 27.04.2026 19:43:46

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without val...

6.5

CVE-2026-35592

Exploit
  • EPSS 0.26%
  • Veröffentlicht 07.04.2026 16:11:38
  • Zuletzt bearbeitet 16.04.2026 21:11:52

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-...

6.8

CVE-2026-35586

Exploit
  • EPSS 0.14%
  • Veröffentlicht 07.04.2026 16:09:11
  • Zuletzt bearbeitet 16.04.2026 18:54:32

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option n...

8.8

CVE-2026-35463

Exploit
  • EPSS 0.82%
  • Veröffentlicht 07.04.2026 14:32:44
  • Zuletzt bearbeitet 24.04.2026 15:18:49

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin...

9.1

CVE-2026-35459

Exploit
  • EPSS 0.28%
  • Veröffentlicht 06.04.2026 19:37:00
  • Zuletzt bearbeitet 20.04.2026 17:01:15

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks ...

7.7

CVE-2026-35187

Exploit
  • EPSS 0.27%
  • Veröffentlicht 06.04.2026 19:33:06
  • Zuletzt bearbeitet 20.04.2026 17:05:58

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation,...