GammaC0de

20 exploits Active since Jan 2023
CVE-2026-41133 WRITEUP HIGH WRITEUP
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. Commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 contains a fix for the issue.
CVSS 8.8
CVE-2026-35463 WRITEUP HIGH WRITEUP
pyLoad has Improper Neutralization of Special Elements used in an OS Command
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.
CVSS 8.8
CVE-2026-35464 WRITEUP HIGH WRITEUP
pyLoad <=0.5.0b3.dev96 - Flask Session Store Code Execution
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.
CVSS 7.5
CVE-2026-35187 WRITEUP HIGH WRITEUP
pyLoad has SSRF in parse_urls API endpoint via unvalidated URL parameter
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files via file:// protocol (pycurl reads the file server-side), interact with internal services via gopher:// and dict:// protocols, and enumerate file existence via error-based oracle (error 37 vs empty response).
CVSS 7.7
CVE-2026-35459 WRITEUP CRITICAL WRITEUP
pyLoad has SSRF fix bypass via HTTP redirect
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter. An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.
CVSS 9.1
CVE-2026-33992 WRITEUP MEDIUM WRITEUP
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.
CVSS 6.5
CVE-2023-0055 WRITEUP MEDIUM WRITEUP
pyload <0.5.0b3.dev32 - Info Disclosure
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32.
CVSS 5.3
CVE-2023-0057 WRITEUP MEDIUM WRITEUP
pyload <0.5.0b3.dev33 - Info Disclosure
Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.
CVSS 6.1
CVE-2023-0227 WRITEUP MEDIUM WRITEUP
pyload <0.5.0b3.dev36 - Info Disclosure
Insufficient Session Expiration in GitHub repository pyload/pyload prior to 0.5.0b3.dev36.
CVSS 6.5
CVE-2023-0434 WRITEUP HIGH WRITEUP
pyload < 0.5.0b3.dev40 - Improper Input Validation
Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.
CVSS 7.5
CVE-2023-0435 WRITEUP CRITICAL WRITEUP
pyload/pyload <0.5.0b3.dev41 - Info Disclosure
Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.
CVSS 9.8
CVE-2023-0488 WRITEUP MEDIUM WRITEUP
pyload < 0.5.0b3.dev42 - Stored Cross-Site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.
CVSS 5.4
CVE-2023-0509 WRITEUP HIGH WRITEUP
pyload < 0.5.0b3.dev44 - Improper Certificate Validation
Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.
CVSS 7.4
CVE-2024-1240 WRITEUP MEDIUM WRITEUP
pyload 0.5.0 - Open Redirect via Login Next Parameter
An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other malicious activities. The issue is fixed in pyload-ng 0.5.0b3.dev79.
CVSS 6.1
CVE-2024-21645 WRITEUP MEDIUM WRITEUP
pyload < 0.5.0b3.dev77 - Unauthenticated Log Injection
pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.
CVSS 5.3
CVE-2024-24808 WRITEUP MEDIUM WRITEUP
pyload < 0.5.0 - Open Redirect via Login Redirect Validation
pyLoad is an open-source Download Manager written in pure Python. There is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad is validating URLs via the `get_redirect_url` function when redirecting users at login. This vulnerability has been patched with commit fe94451.
CVSS 4.7
CVE-2025-53890 WRITEUP CRITICAL WRITEUP
pyLoad CAPTCHA Processing - Unsafe JavaScript Evaluation Code Execution
pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89.
CVSS 9.8
CVE-2025-54802 WRITEUP CRITICAL WRITEUP
pyload-ng < 0.5.0b3.dev90 - Unauthenticated Path Traversal and Arbitrary File Write via CNL Blueprint Package Parameter
pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90.
CVSS 9.8
CVE-2025-55156 WRITEUP HIGH WRITEUP
pyLoad <0.5.0b3.dev91 - SQL Injection
pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.
CVE-2025-61773 WRITEUP HIGH WRITEUP
pyload-ng < 0.5.0b3.dev91 - Cross-Site Scripting via Captcha Script Endpoint and Click'N'Load Blueprint
pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted. user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow. CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests. Version 0.5.0b3.dev91 contains a patch for the issue.
CVSS 8.1