Home > Vulnerability Database > CVE-2025-7346

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2025-7346

Good to know:

Date: July 8, 2025

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages

Severity Score

10.0

Related Resources (7)

Url: https://github.com/pyload/pyload/commit/f4e2d12416ba2dfac7b036d5c8d6dab5461b9840

Url: https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11

Url: https://github.com/pyload/pyload

Url: https://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-7346

Url: https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36

Url: https://www.mend.io/vulnerability-database/CVE-2025-7346

Severity Score

10.0

Weakness Type (CWE)

Improper Access Control

CWE-284

Authentication Bypass by Spoofing

CWE-290

Improper Preservation of Permissions

CWE-281

Top Fix

Upgrade Version

Upgrade to version pyload-ng - 0.5.0b3.dev89;pyload-ng - 0.5.0b3.dev89;https://github.com/pyload/pyload.git - null

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Do you need more information?

Contact Us