CVE-2024-21644

HIGH NUCLEI

Pyload < 0.4.9 - Improper Access Control

Title source: rule

Description

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.

Exploits (1)

nomisec SCANNER 1 stars

by ltranquility · poc

https://github.com/ltranquility/CVE-2024-21644-Poc

View Code ZIP pw:eip

Nuclei Templates (1)

pyLoad Flask Config - Access Control

HIGHVERIFIEDby West-wise

Shodan: html:"pyload" || http.title:"login - pyload" || http.html:"pyload" || http.title:"pyload"

FOFA: title="login - pyload" || body="pyload" || title="pyload"

References (2)

[Patch] https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40

[Exploit, Vendor Advisory] https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv

Scores

CVSS v3 7.5

EPSS 0.8651

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-284

Status published

Products (3)

pyload/pyload 0.5.0 beta1 (2 CPE variants)

pyload/pyload < 0.4.9

pypi/pyload-ng 0 - 0.5.0b3.dev77PyPI

Published Jan 08, 2024

Tracked Since Feb 18, 2026