CVE-2026-44226

MEDIUM

pyLoad: Unauthenticated traceback disclosure via global exception handler in WebUI

Title source: cna

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in 0.5.0b3.dev100.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg

Scores

CVSS v3 5.3

EPSS 0.0006

EPSS Percentile 19.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-209

Status published

Products (3)

pyload/pyload < 2026-04-13

pyload/pyload < 0.5.0b3.dev100

pypi/pyload-ng 0 - 0.5.0b3.dev100PyPI

Published May 11, 2026

Tracked Since May 11, 2026