CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-61773 – pyLoad CNL and captcha handlers allow code Injection via unsanitized parameters
https://notcve.org/view.php?id=CVE-2025-61773
09 Oct 2025 — pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behavi... • https://github.com/pyload/pyload/commit/5823327d0b797161c7195a1f660266d30a69f0ca • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-57751 – Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs
https://notcve.org/view.php?id=CVE-2025-57751
21 Aug 2025 — pyLoad is the free and open-source Download Manager written in pure Python. The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of jk parameter verification, the jk parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive. This vulnerability is fixed in 0.5.0b3.dev92. pyLoad es un gestor de descargas gratuito y de código abierto, escrito en Python puro. El parámetro jk se recibe en el CNL Blu... • https://github.com/pyload/pyload/security/advisories/GHSA-9gjj-6gj7-c4wj • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55156 – PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
https://notcve.org/view.php?id=CVE-2025-55156
11 Aug 2025 — pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91. pyLoad es un gestor de descargas gratuito y de código abierto escrito en Python puro. Antes de la versión 0.5.0b3.dev91, el parámetro add_links en la API /json/add_package era vulnerable ... • https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53890 – pyLoad vulnerable to remote code execution through js2py onCaptchaResult
https://notcve.org/view.php?id=CVE-2025-53890
14 Jul 2025 — pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included ... • https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 0CVE-2024-47821 – pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
https://notcve.org/view.php?id=CVE-2024-47821
25 Oct 2024 — pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions on the 0.5 branch prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download th... • https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.1EPSS: 4%CPEs: 1EXPL: 0CVE-2024-32880 – pyLoad allows upload to arbitrary folder lead to RCE
https://notcve.org/view.php?id=CVE-2024-32880
26 Apr 2024 — pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication. pyload es un administrador de descargas de código abierto escrito en Python puro. Un usuario autenticado puede cambiar la carpeta de descarga y cargar una plantilla manipulada en la carpeta especificada, lo que lleva a la ejecución remota del código. No ... • https://github.com/pyload/pyload/security/advisories/GHSA-3f7w-p8vr-4v5f • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 1%CPEs: 1EXPL: 1CVE-2024-24808 – pyLoad open redirect vulnerability due to improper validation of the is_safe_url function
https://notcve.org/view.php?id=CVE-2024-24808
06 Feb 2024 — pyLoad is an open-source Download Manager written in pure Python. There is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad is validating URLs via the `get_redirect_url` function when redirecting users at login. This vulnerability has been patched with commit fe94451. pyLoad es un administrador de descargas de código abierto escrito en Python puro. Existe una vulnerabilidad de redireccionamiento abierto debido a la validación incorrecta de... • https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.8EPSS: 87%CPEs: 3EXPL: 2CVE-2024-21644 – pyLoad unauthenticated flask configuration leakage
https://notcve.org/view.php?id=CVE-2024-21644
08 Jan 2024 — pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77. pyLoad es el administrador de descargas gratuito y de código abierto escrito en Python puro. Cualquier usuario no autenticado puede navegar a una URL específica para exponer la configuración de Flask, incluida la variable `SECRET_KEY`. Este problema se solucionó ... • https://github.com/ltranquility/CVE-2024-21644-Poc • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 73%CPEs: 3EXPL: 1CVE-2024-21645 – pyLoad Log Injection
https://notcve.org/view.php?id=CVE-2024-21645
08 Jan 2024 — pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77. pyLoad es el administrador de descargas gratuito y de código ... • https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 1CVE-2023-0509 – Improper Certificate Validation in pyload/pyload
https://notcve.org/view.php?id=CVE-2023-0509
26 Jan 2023 — Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44. Validación de certificado incorrecta en pyload/pyload del repositorio de GitHub antes de 0.5.0b3.dev44. • https://github.com/pyload/pyload/commit/a9098bdf7406e6faf9df3da6ff2d584e90c13bbb • CWE-295: Improper Certificate Validation •