pkg:PyPI/pyload-ng

All known vulnerabilities

• CRITICAL9.8CVE-2025-54802pyLoad CNL Blueprint allows Path Traversal through `dlc_path` which leads to Remote Code Execution (RCE)
  from 0, < 0.5.0b3.dev90
• CRITICAL9.8CVE-2025-53890pyLoad vulnerable to XSS through insecure CAPTCHA
  from 0, < 0.20
• CRITICAL9.8CVE-2024-39205pyload-ng vulnerable to RCE with js2py sandbox escape
  from 0, <= 0.5.0b3.dev85
• CRITICAL9.8Excessive Attack Surface in pyload-ng
  from 0, < 0.5.0b3.dev41
• CRITICAL9.8Code Injection in pyload-ng
  from 0, < 0.5.0b3.dev31
• CRITICAL9.6Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
  from 0, < 0.5.0b3.dev78
• CRITICAL9.6Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
  from 0, < 1374c824271cb7e927740664d06d2e577624ca3e, < c7cdc18ad9134a75222974b39e8b427c4af845fc | from 0, < 0.5.0b3.dev78
• CRITICAL9.1pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
  from 0, <= 0.5.0
• CRITICAL9.1pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
  from 0, < 0.5.0b3.dev87
• CRITICAL9.1pyLoad allows upload to arbitrary folder lead to RCE
  from 0, <= 0.5.0
• HIGH8.8pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
  from 0, <= 0.5.0b3.dev97
• HIGH8.8pyLoad: Improper Neutralization of Special Elements used in an OS Command
  from 0, <= 0.5.0b3.dev96
• HIGH8.7pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal
  from 0, <= 0.5.0b3.dev99
• HIGH8.3pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
  from 0, < 0.5.0b3.dev100
• HIGH8.3pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
  from 0, < 0.5.0b3.dev100
• HIGH8.1PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data
  from 0, < 0.5.0b3.dev100
• HIGH8.1PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data
  from 0, < 0.5.0b3.dev100
• HIGH8.1pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters
  from 0, < 0.5.0b3.dev91
• HIGH7.7pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter
  from 0, <= 0.5.0b3.dev96
• HIGH7.6Download to arbitrary folder can lead to RCE
  from 0, < 0.5.0b3.dev75
• HIGH7.5pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)
  from 0, <= 0.5.0b3
• HIGH7.5pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration
  >= 0.4.0, <= 0.5.0b3.dev96
• HIGH7.5`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write
  >= 0.5.0b3.dev89, < 0.5.0b3.dev90
• HIGH7.5pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
  from 0, <= 0.5.0b3.dev88
• HIGH7.5pyload Unauthenticated Flask Configuration Leakage vulnerability
  from 0, < 0.5.0b3.dev77
• HIGH7.4Improper Certificate Validation in pyload-ng
  from 0, < 0.5.0b3.dev44
• HIGH7.1pyLoad has an Arbitrary File Write via Path Traversal in edit_package()
  >= 0.5.0b3.dev13, < 0.5.0b3.dev97
• HIGH7.1pyLoad has an Arbitrary File Write via Path Traversal in edit_package()
  >= 0.5.0b3.dev13, <= 0.5.0b3.dev96
• MEDIUM6.8pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
  from 0, < 0.5.0b3.dev100
• MEDIUM6.8pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
  from 0, < 0.5.0b3.dev100
• MEDIUM6.8pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
  from 0, < 0.5.0b3.dev97
• MEDIUM6.8pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
  from 0, < 0.5.0b3.dev97
• MEDIUM6.5pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad
  from 0, <= 0.5.0b3.dev99
• MEDIUM6.5PyLoad Vulnerable to Path Traversal via Package Folder Name
  from 0, < 0.5.0b3.dev100
• MEDIUM6.5PyLoad Vulnerable to Path Traversal via Package Folder Name
  from 0, < 0.5.0b3.dev100
• MEDIUM6.5Improper Authentication and Origin Validation Error in pyload-ng
  from 0, < 0.5.0b3.dev97
• MEDIUM6.5Improper Authentication and Origin Validation Error in pyload-ng
  from 0, < 0.5.0b3.dev97
• MEDIUM6.5Pyload Insufficient Session Expiration vulnerability
  from 0, < 0.5.0b3.dev36
• MEDIUM6.1An open redirection vulnerability exists in pyload/pyload version 0.5.0.
  from 0, < fe94451dcc2be90b3889e2fd9d07b483c8a6dccd | from 0
• MEDIUM6.1pyLoad open redirect vulnerability due to improper validation of the is_safe_url function
  from 0, < 0.5.0b3.dev79
• MEDIUM6.1pyLoad vulnerable to Improper Restriction of Rendered UI Layers or Frames
  from 0, < 0.5.0b3.dev33
• MEDIUM5.4pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
  from 0, <= 0.5.0b3
• MEDIUM5.4Cross-site Scripting in pyload-ng
  from 0, < 0.5.0b3.dev42
• MEDIUM5.4Improper Input Validation in pyload-ng
  from 0, < 0.5.0b3.dev40
• MEDIUM5.3PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
  from 0, < 0.5.0b3.dev100
• MEDIUM5.3pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
  from 0, < 0.5.0b3.dev97
• MEDIUM5.3pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
  from 0, < 0.5.0b3.dev97
• MEDIUM5.3pyload Log Injection vulnerability
  from 0, < 0.5.0b3.dev77
• MEDIUM5.3Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
  from 0, < 0.5.0b3.dev32
• MEDIUM5.0pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API
  from 0, < 0.5.0b3.dev100
• MEDIUM4.8pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
  from 0, < 0.5.0b3.dev98
• MEDIUM4.8pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
  from 0, < 0.5.0b3.dev69
• —pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
  from 0, <= 0.5.0b3.dev96
• —pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
  from 0, <= 0.5.0b3.dev96
• —Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs
  from 0, < 0.5.0b3.dev92
• —PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
  from 0, < 0.5.0b3.dev91