CVE-2024-21644

HIGH NUCLEI

pyload < 0.5.0b3.dev77 - Unauthenticated Information Exposure via Flask Config Endpoint

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-21644. PoCs published by ltranquility. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python script that scans for CVE-2024-21644, an unauthenticated Flask configuration leak vulnerability. It checks for the presence of 'SECRET_KEY' in the response from '/render/info.html' to determine if the target is vulnerable.

Description

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.

Exploits (1)

nomisec SCANNER 1 stars

by ltranquility · poc

https://github.com/ltranquility/CVE-2024-21644-Poc

View Code ZIP pw:eip

This repository contains a Python script that scans for CVE-2024-21644, an unauthenticated Flask configuration leak vulnerability. It checks for the presence of 'SECRET_KEY' in the response from '/render/info.html' to determine if the target is vulnerable.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Flask (unspecified version)

No auth needed

Prerequisites: Target URL or list of URLs to scan

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

pyLoad Flask Config - Access Control

HIGHVERIFIEDby West-wise

Shodan: html:"pyload" || http.title:"login - pyload" || http.html:"pyload" || http.title:"pyload"

FOFA: title="login - pyload" || body="pyload" || title="pyload"

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv

Patch x_refsource_misc

https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40

Scores

CVSS v3 7.5

EPSS 0.8928

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (3)

pyload/pyload 0.5.0 beta1 (2 CPE variants)

pyload/pyload < 0.4.9

pypi/pyload-ng 0 - 0.5.0b3.dev77PyPI

Published Jan 08, 2024

Tracked Since Feb 18, 2026