CVE-2023-0297

CRITICAL EXPLOITED NUCLEI

pyLoad js2py Python Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2023-0297 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 10 public exploits from researchers including Gabriel Lima, bAuh0lz, JacobEbben, including a Metasploit module exploits/linux/http/pyload_js2py_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a pre-authentication RCE vulnerability in PyLoad 0.5.0 by sending a crafted POST request to the '/flash/addcrypted2' endpoint, injecting a Python command via the 'jk' parameter that executes arbitrary shell commands. The payload bypasses authentication and directly triggers command execution on the target system.

Description

Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.

Exploits (10)

exploitdb WORKING POC VERIFIED
by Gabriel Lima · pythonwebappspython
https://www.exploit-db.com/exploits/51532

This exploit leverages a pre-authentication RCE vulnerability in PyLoad 0.5.0 by sending a crafted POST request to the '/flash/addcrypted2' endpoint, injecting a Python command via the 'jk' parameter that executes arbitrary shell commands. The payload bypasses authentication and directly triggers command execution on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PyLoad 0.5.0
No auth needed
Prerequisites: Network access to the target PyLoad instance · PyLoad 0.5.0 running with default or vulnerable configuration
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 28 stars
by bAuh0lz · remote
https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad

CVE-2023-0297 is a pre-authentication remote code execution (RCE) vulnerability in pyLoad versions prior to 0.5.0b3.dev31. The exploit abuses the `js2py` library's `pyimport` functionality to execute arbitrary Python code via JavaScript injection in the `jk` parameter of a POST request to `/flash/addcrypted2`.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: pyLoad < 0.5.0b3.dev31
No auth needed
Prerequisites: Network access to the target pyLoad instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 11 stars
by JacobEbben · remote
https://github.com/JacobEbben/CVE-2023-0297

This is a functional exploit for CVE-2023-0297, targeting an unauthenticated RCE vulnerability in PyLoad versions prior to 0.5.0b3.dev31. The exploit leverages a command injection flaw in the `flash/addcrypted2` endpoint to execute arbitrary commands, including reverse shells.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PyLoad < 0.5.0b3.dev31
No auth needed
Prerequisites: Network access to the target PyLoad instance · PyLoad version < 0.5.0b3.dev31
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Small-ears · remote
https://github.com/Small-ears/CVE-2023-0297

This PoC exploits CVE-2023-0297, a code injection vulnerability in pyLoad versions prior to 0.5.0b3.dev31, allowing pre-authentication RCE via js2py functionality. It sends a crafted POST request to '/flash/addcrypted2' and verifies vulnerability by checking DNS logs for a callback.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: pyLoad < 0.5.0b3.dev31
No auth needed
Prerequisites: Network access to the target pyLoad instance · Target must be running a vulnerable version of pyLoad
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by overgrowncarrot1 · remote
https://github.com/overgrowncarrot1/CVE-2023-0297

This is a functional exploit for CVE-2023-0297, which leverages a command injection vulnerability in the target software. The script sends a malicious POST request to execute a reverse shell via a crafted payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Unknown (likely a web application with a vulnerable endpoint at /flash/addcrypted2)
No auth needed
Prerequisites: Network access to the target · Listener set up on the attacker's machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by dyeat · pythonpoc
https://github.com/dyeat/cve-reproduction/tree/main/PyLoad/PyLoad/CVE-2023-0297

This repository contains a functional Python exploit for CVE-2023-0297, a pre-authentication remote code execution (RCE) vulnerability in PyLoad 0.5.0. The exploit leverages a js2py eval injection in the /flash/addcrypted2 endpoint to execute arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PyLoad 0.5.0
No auth needed
Prerequisites: Target URL · Command to execute
devstral-2 · analyzed May 22, 2026 Full analysis →
nomisec WORKING POC
by S4MY9 · remote
https://github.com/S4MY9/CVE-2023-0297

This Python script exploits CVE-2023-0297, a remote code execution vulnerability in pyload versions prior to 0.5.0b3.dev31. It sends a crafted POST request to the target's /flash/addcrypted2 endpoint, injecting a command via the 'jk' parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: pyload < 0.5.0b3.dev31
No auth needed
Prerequisites: Network access to the target's pyload instance · Target running a vulnerable version of pyload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by hazeyez · poc
https://github.com/hazeyez/CVE-2023-0297

This repository contains a functional exploit for CVE-2023-0297, an unauthenticated remote code execution vulnerability in PyLoad versions prior to 0.5.0b3.dev31. The exploit leverages a crafted payload sent to the '/flash/addcrypted2' endpoint to execute arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PyLoad < 0.5.0b3.dev31
No auth needed
Prerequisites: Network access to the target PyLoad instance
devstral-2 · analyzed Mar 07, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Spencer McIntyre, bAu · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pyload_js2py_exec.rb

This Metasploit module exploits CVE-2023-0297, a Python code injection vulnerability in pyLoad versions prior to 0.5.0b3.dev31. It leverages the js2py library's pyimport functionality via a crafted POST request to the flash/addcrypted2 endpoint, allowing unauthenticated remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: pyLoad < 0.5.0b3.dev31
No auth needed
Prerequisites: Network access to the target's Click 'N' Load service (port 9666)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
CRITICALVERIFIEDby MrHarshvardhan,DhiyaneshDk
Shodan: html:"pyload" || http.title:"login - pyload" || http.html:"pyload" || http.title:"pyload"
FOFA: title="login - pyload" || body="pyload" || title="pyload"

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.9294
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2024-01-22
CWE
CWE-94
Status published
Products (2)
pyload/pyload < 0.4.20
pypi/pyload-ng 0 - 0.5.0b3.dev31PyPI
Published Jan 14, 2023
Tracked Since Feb 18, 2026