PyPI / pyload-ng

pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter

Modified: 4/6/2026

pyLoad allows upload to arbitrary folder lead to RCE

Modified: 4/26/2024

Pyload log Injection via API /json/add_package in add_name parameter

Modified: 7/30/2025

pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)

Modified: 4/7/2026

pyLoad CNL Blueprint allows Path Traversal through `dlc_path` which leads to Remote Code Execution (RCE)

Modified: 8/5/2025

pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)

Modified: 5/5/2026

Excessive Attack Surface in pyload-ng

Modified: 11/8/2023

pyLoad has an Arbitrary File Write via Path Traversal in edit_package()

Modified: 6/8/2026

pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)

Modified: 4/7/2026

PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data

Modified: 6/8/2026

pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API

Modified: 5/21/2026

Improper Certificate Validation in pyload-ng

Modified: 11/8/2023

pyLoad vulnerable to XSS through insecure CAPTCHA

Modified: 7/15/2025

PyLoad Vulnerable to Path Traversal via Package Folder Name

Modified: 6/8/2026

Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs

Modified: 8/22/2025

PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI

Modified: 5/13/2026

pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Modified: 6/8/2026

pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters

Modified: 5/5/2026

pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal

Modified: 5/14/2026

pyLoad's Session Not Invalidated After Permission Changes

Modified: 4/14/2026

pyLoad open redirect vulnerability due to improper validation of the is_safe_url function

Modified: 2/16/2024

pyload Log Injection vulnerability

Modified: 2/16/2024

Download to arbitrary folder can lead to RCE

Modified: 5/4/2026

pyLoad vulnerable to Improper Restriction of Rendered UI Layers or Frames

Modified: 11/8/2023

Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Modified: 11/8/2023

pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration

Modified: 3/30/2026

pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)

Modified: 6/8/2026

pyload Unauthenticated Flask Configuration Leakage vulnerability

Modified: 2/16/2024

pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass

Modified: 6/8/2026

Code Injection in pyload-ng

Modified: 2/16/2024

pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Modified: 6/8/2026

Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation

Modified: 10/21/2024

pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng

Modified: 6/8/2026

PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter

Modified: 8/12/2025

Improper Authentication and Origin Validation Error in pyload-ng

Modified: 6/8/2026

pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration

Modified: 3/27/2026

pyload-ng vulnerable to RCE with js2py sandbox escape

Modified: 10/28/2024

pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions

Modified: 4/13/2026

Pyload Insufficient Session Expiration vulnerability

Modified: 11/8/2023

pyLoad: Improper Neutralization of Special Elements used in an OS Command

Modified: 4/7/2026

pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad

Modified: 5/14/2026

pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API

Modified: 6/8/2026

Cross-site Scripting in pyload-ng

Modified: 11/8/2023

pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages

Modified: 7/9/2025

Improper Input Validation in pyload-ng

Modified: 11/8/2023

`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write

Modified: 7/23/2025

Modified: 5/20/2026

Modified: 5/20/2026

Modified: 5/20/2026

Modified: 5/20/2026

Modified: 5/20/2026

Modified: 5/20/2026

Modified: 5/20/2026

Modified: 5/20/2026

Modified: 5/20/2026

Modified: 10/9/2025

Modified: 1/29/2024

Modified: 5/21/2026