pkg:PyPI/pyload-ng

All known vulnerabilities

• CRITICAL9.8CVE-2025-54802pyLoad CNL Blueprint allows Path Traversal through `dlc_path` which leads to Remote Code Execution (RCE)
  from 0, < 0.5.0b3.dev90
• CRITICAL9.8CVE-2025-53890pyLoad vulnerable to XSS through insecure CAPTCHA
  from 0, < 0.20
• CRITICAL9.8CVE-2024-39205pyload-ng vulnerable to RCE with js2py sandbox escape
  from 0, <= 0.5.0b3.dev85
• CRITICAL9.8CVE-2023-0435Excessive Attack Surface in pyload-ng
  from 0, < 0.5.0b3.dev41
• CRITICAL9.8CVE-2023-0297Code Injection in pyload-ng
  from 0, < 0.5.0b3.dev31
• CRITICAL9.6CVE-2024-22416Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
  from 0, < 0.5.0b3.dev78
• CRITICAL9.6CVE-2024-22416Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
  from 0, < 1374c824271cb7e927740664d06d2e577624ca3e, < c7cdc18ad9134a75222974b39e8b427c4af845fc | from 0, < 0.5.0b3.dev78
• CRITICAL9.1CVE-2024-47821pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
  from 0, <= 0.5.0
• CRITICAL9.1CVE-2024-47821pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
  from 0, < 0.5.0b3.dev87
• CRITICAL9.1CVE-2024-32880pyLoad allows upload to arbitrary folder lead to RCE
  from 0, <= 0.5.0
• HIGH8.8CVE-2026-41133pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
  from 0, <= 0.5.0b3.dev97
• HIGH8.8CVE-2026-35463pyLoad: Improper Neutralization of Special Elements used in an OS Command
  from 0, <= 0.5.0b3.dev96
• HIGH8.7CVE-2026-45348pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal
  from 0, <= 0.5.0b3.dev99
• HIGH8.3CVE-2026-42313pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
  from 0, < 0.5.0b3.dev100
• HIGH8.3CVE-2026-42313pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
  from 0, < 0.5.0b3.dev100
• HIGH8.1CVE-2026-42315PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data
  from 0, < 0.5.0b3.dev100
• HIGH8.1CVE-2026-42315PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data
  from 0, < 0.5.0b3.dev100
• HIGH8.1CVE-2025-61773pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters
  from 0, < 0.5.0b3.dev91
• HIGH7.7CVE-2026-35187pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter
  from 0, <= 0.5.0b3.dev96
• HIGH7.6CVE-2023-47890Download to arbitrary folder can lead to RCE
  from 0, < 0.5.0b3.dev75
• HIGH7.5CVE-2026-35464pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)
  from 0, <= 0.5.0b3
• HIGH7.5CVE-2026-33509pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration
  >= 0.4.0, <= 0.5.0b3.dev96
• HIGH7.5CVE-2025-54140`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write
  >= 0.5.0b3.dev89, < 0.5.0b3.dev90
• HIGH7.5CVE-2025-7346pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
  from 0, <= 0.5.0b3.dev88
• HIGH7.5CVE-2024-21644pyload Unauthenticated Flask Configuration Leakage vulnerability
  from 0, < 0.5.0b3.dev77
• HIGH7.4CVE-2023-0509Improper Certificate Validation in pyload-ng
  from 0, < 0.5.0b3.dev44
• HIGH7.1CVE-2026-29778pyLoad has an Arbitrary File Write via Path Traversal in edit_package()
  >= 0.5.0b3.dev13, < 0.5.0b3.dev97
• HIGH7.1CVE-2026-29778pyLoad has an Arbitrary File Write via Path Traversal in edit_package()
  >= 0.5.0b3.dev13, <= 0.5.0b3.dev96
• MEDIUM6.8CVE-2026-42312pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
  from 0, < 0.5.0b3.dev100
• MEDIUM6.8CVE-2026-42312pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
  from 0, < 0.5.0b3.dev100
• MEDIUM6.8CVE-2026-35586pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
  from 0, < 0.5.0b3.dev97
• MEDIUM6.8CVE-2026-35586pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
  from 0, < 0.5.0b3.dev97
• MEDIUM6.5CVE-2026-45306pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad
  from 0, <= 0.5.0b3.dev99
• MEDIUM6.5CVE-2026-42314PyLoad Vulnerable to Path Traversal via Package Folder Name
  from 0, < 0.5.0b3.dev100
• MEDIUM6.5CVE-2026-42314PyLoad Vulnerable to Path Traversal via Package Folder Name
  from 0, < 0.5.0b3.dev100
• MEDIUM6.5CVE-2026-33314Improper Authentication and Origin Validation Error in pyload-ng
  from 0, < 0.5.0b3.dev97
• MEDIUM6.5CVE-2026-33314Improper Authentication and Origin Validation Error in pyload-ng
  from 0, < 0.5.0b3.dev97
• MEDIUM6.5CVE-2023-0227Pyload Insufficient Session Expiration vulnerability
  from 0, < 0.5.0b3.dev36
• MEDIUM6.1CVE-2024-1240An open redirection vulnerability exists in pyload/pyload version 0.5.0.
  from 0, < fe94451dcc2be90b3889e2fd9d07b483c8a6dccd | from 0
• MEDIUM6.1CVE-2024-24808pyLoad open redirect vulnerability due to improper validation of the is_safe_url function
  from 0, < 0.5.0b3.dev79
• MEDIUM6.1CVE-2023-0057pyLoad vulnerable to Improper Restriction of Rendered UI Layers or Frames
  from 0, < 0.5.0b3.dev33
• MEDIUM5.4CVE-2026-40071pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
  from 0, <= 0.5.0b3
• MEDIUM5.4CVE-2023-0488Cross-site Scripting in pyload-ng
  from 0, < 0.5.0b3.dev42
• MEDIUM5.4CVE-2023-0434Improper Input Validation in pyload-ng
  from 0, < 0.5.0b3.dev40
• MEDIUM5.3CVE-2026-44226PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
  from 0, < 0.5.0b3.dev100
• MEDIUM5.3CVE-2026-35592pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
  from 0, < 0.5.0b3.dev97
• MEDIUM5.3CVE-2026-35592pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
  from 0, < 0.5.0b3.dev97
• MEDIUM5.3CVE-2024-21645pyload Log Injection vulnerability
  from 0, < 0.5.0b3.dev77
• MEDIUM5.3CVE-2023-0055Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
  from 0, < 0.5.0b3.dev32
• MEDIUM5.0CVE-2026-46561pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API
  from 0, < 0.5.0b3.dev100
• MEDIUM4.8CVE-2026-40594pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
  from 0, < 0.5.0b3.dev98
• MEDIUM4.8CVE-2026-40594pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
  from 0, < 0.5.0b3.dev69
• —CVE-2026-35459pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
  from 0, <= 0.5.0b3.dev96
• —CVE-2026-33992pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
  from 0, <= 0.5.0b3.dev96
• —CVE-2025-57751Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs
  from 0, < 0.5.0b3.dev92
• —CVE-2025-55156PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
  from 0, < 0.5.0b3.dev91