Description
pyLoad is the free and open-source Download Manager written in pure Python. The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of jk parameter verification, the jk parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive. This vulnerability is fixed in 0.5.0b3.dev92.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/pyload/pyload/security/advisories/GHSA-9gjj-6gj7-c4wj
Scores
CVSS v4
7.7
EPSS
0.0010
EPSS Percentile
27.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
pyload/pyload
< 0.5.0b3.dev92
pypi/pyload-ng
0 - 0.5.0b3.dev92PyPI
Published
Aug 21, 2025
Tracked Since
Feb 18, 2026