Description
pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.
Published: 2026-03-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass and Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in pyLoad’s ClickNLoad feature permits an unauthenticated attacker to override the local_check decorator by sending a request with a forged HTTP Host header. This bypass opens localhost‑restricted endpoints, allowing the attacker to inject arbitrary downloads, write files to the storage directory, and run JavaScript code, effectively enabling remote code execution on the target system.

Affected Systems

The vulnerability affects the pyLoad download manager from versions 0.4.20 up to, but not including, 0.5.0b3.dev97. The affected product is the open‑source pyLoad application.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity, and a very low EPSS score of less than 1%, suggesting the likelihood of public exploitation is minimal. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that a remote attacker can exploit the issue by sending a crafted HTTP request with a spoofed Host header to the server, thereby gaining unauthenticated access to restricted endpoints.

Generated by OpenCVE AI on March 26, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pyLoad to version 0.5.0b3.dev97 or later.

Generated by OpenCVE AI on March 26, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Pyload-ng Project
Pyload-ng Project pyload-ng
CPEs cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*
cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
Vendors & Products Pyload-ng Project
Pyload-ng Project pyload-ng
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Tue, 24 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.
Title pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N'}

Subscriptions

Pyload Pyload
Pyload-ng Project Pyload-ng
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:28:19.605Z

Reserved: 2026-03-20T16:59:08.890Z

Link: CVE-2026-33511

cve-icon Vulnrichment

Updated: 2026-03-25T13:59:15.826Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T20:16:30.203

Modified: 2026-03-26T20:29:49.837

Link: CVE-2026-33511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:41Z

Weaknesses