60 Total advisories
60 Vulnerabilities
0 Malware
Vulnerabilities
HIGH 8.7
CVE-2026-45348
pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal
MEDIUM 5.0
CVE-2026-46561
pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API
MEDIUM 6.5
CVE-2026-45306
pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad
HIGH 8.3
CVE-2026-42313
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
MEDIUM 6.8
CVE-2026-42312
pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
MEDIUM 6.5
CVE-2026-42314
PyLoad Vulnerable to Path Traversal via Package Folder Name
HIGH 8.1
CVE-2026-42315
PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data
MEDIUM 5.3
CVE-2026-35592
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
MEDIUM 4.8
CVE-2026-40594
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
MEDIUM 6.8
CVE-2026-35586
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
CRITICAL 9.1
CVE-2024-47821
pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
MEDIUM 6.5
CVE-2026-33314
Improper Authentication and Origin Validation Error in pyload-ng
HIGH 7.1
CVE-2026-29778
pyLoad has an Arbitrary File Write via Path Traversal in edit_package()
LOW 2.3
CVE-2024-47821
CVE-2024-47821
MEDIUM 6.5
CVE-2026-42315
CVE-2026-42315
MEDIUM 6.5
CVE-2026-42314
CVE-2026-42314
HIGH 8.3
CVE-2026-42313
CVE-2026-42313
MEDIUM 6.8
CVE-2026-42312
CVE-2026-42312
MEDIUM 4.8
CVE-2026-40594
CVE-2026-40594
MEDIUM 6.5
CVE-2026-35592
CVE-2026-35592
MEDIUM 6.8
CVE-2026-35586
CVE-2026-35586
MEDIUM 6.5
CVE-2026-33314
CVE-2026-33314
MEDIUM 6.5
CVE-2026-29778
CVE-2026-29778
MEDIUM 5.3
CVE-2026-44226
PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
HIGH 8.8
CVE-2026-41133
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
HIGH 8.1
CVE-2025-61773
pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters
HIGH 7.6
CVE-2023-47890
Download to arbitrary folder can lead to RCE
UNKNOWN
GHSA-fj52-5g4h-gmq8
pyLoad's Session Not Invalidated After Permission Changes
MEDIUM 5.4
CVE-2026-40071
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
HIGH 8.8
CVE-2026-35463
pyLoad: Improper Neutralization of Special Elements used in an OS Command
HIGH 7.5
CVE-2026-35464
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)
UNKNOWN
CVE-2026-35459
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
HIGH 7.7
CVE-2026-35187
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter
UNKNOWN
CVE-2026-33992
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
HIGH 7.5
CVE-2026-33509
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration
MEDIUM 6.1
CVE-2024-1240
CVE-2024-1240
UNKNOWN
CVE-2025-57751
Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs
UNKNOWN
CVE-2025-55156
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
CRITICAL 9.8
CVE-2025-54802
pyLoad CNL Blueprint allows Path Traversal through `dlc_path` which leads to Remote Code Execution (RCE)
MEDIUM 4.3
GHSA-3wwm-hjv7-23r3
Pyload log Injection via API /json/add_package in add_name parameter
HIGH 7.5
CVE-2025-54140
`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write
CRITICAL 9.8
CVE-2025-53890
pyLoad vulnerable to XSS through insecure CAPTCHA
HIGH 7.5
CVE-2025-7346
pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
UNKNOWN
GHSA-2wcm-vx67-3x4q
Duplicate Advisory: GHSA-x698-5hjm-w2m5
UNKNOWN
GHSA-25pw-q952-x37g
Duplicate Advisory: pyload-ng vulnerable to RCE with js2py sandbox escape
CRITICAL 9.8
CVE-2024-39205
pyload-ng vulnerable to RCE with js2py sandbox escape
CRITICAL 9.6
CVE-2024-22416
Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
CRITICAL 9.1
CVE-2024-32880
pyLoad allows upload to arbitrary folder lead to RCE
MEDIUM 6.1
CVE-2024-24808
pyLoad open redirect vulnerability due to improper validation of the is_safe_url function
MEDIUM 5.3
CVE-2024-21645
pyload Log Injection vulnerability
HIGH 7.5
CVE-2024-21644
pyload Unauthenticated Flask Configuration Leakage vulnerability
CRITICAL 9.8
CVE-2023-0297
Code Injection in pyload-ng
HIGH 8.8
CVE-2024-22416
CVE-2024-22416
HIGH 7.4
CVE-2023-0509
Improper Certificate Validation in pyload-ng
MEDIUM 5.4
CVE-2023-0488
Cross-site Scripting in pyload-ng
CRITICAL 9.8
CVE-2023-0435
Excessive Attack Surface in pyload-ng
MEDIUM 5.4
CVE-2023-0434
Improper Input Validation in pyload-ng
MEDIUM 6.5
CVE-2023-0227
Pyload Insufficient Session Expiration vulnerability
MEDIUM 6.1
CVE-2023-0057
pyLoad vulnerable to Improper Restriction of Rendered UI Layers or Frames
MEDIUM 5.3
CVE-2023-0055
Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Ready to move
Start Securing
Free, no credit card | First findings in minutes