CVE-2026-33511
March 24, 2026
pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.
Affected Packages
pyload-ng (PYTHON):
Affected version(s) >=0.5.0a5.dev528 <0.5.0b3.dev97Fix Suggestion:
Update to version 0.5.0b3.dev97pyload-ng (PYTHON):
Affected version(s) >=0.5.0a5.dev528 <0.5.0b3.dev97Fix Suggestion:
Update to version 0.5.0b3.dev97pyload-ng (PYTHON):
Affected version(s) >=0.5.0a5.dev528 <0.5.0b3.dev97Fix Suggestion:
Update to version 0.5.0b3.dev97Related ResourcesĀ (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.9
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
LOW
Weakness Type (CWE)
Authorization Bypass Through User-Controlled Key
EPSS
Base Score:
0.09
