CVE-2026-33511

High CVSS: 8.8

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.

Vendor

Pyload

Product

Pyload

CWE

CWE-639

Yayın Tarihi

2026-03-24 20:16:30

Güncelleme

2026-03-26 20:29:49

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-639 Pyload HIGH Pyload 2026

Referanslar

https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw

Benzer Kayıtlar

Critical

CVE-2026-33992

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download e…

High

CVE-2026-33509

pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97,…

High

CVE-2026-32808

pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to pat…