Pyload-Ng Project: >> Pyload-Ng Security Vulnerabilities
pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90.
CVSS Score
9.8
EPSS Score
0.007
Published
2025-08-05
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.
CVSS Score
9.6
EPSS Score
0.059
Published
2024-01-18
Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.
CVSS Score
9.6
EPSS Score
0.003
Published
2023-01-26
Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.
CVSS Score
7.4
EPSS Score
0.003
Published
2023-01-26
Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.
CVSS Score
3.1
EPSS Score
0.002
Published
2023-01-05