CVE-2026-44226 - Vulnerability Details

- pyLoad: Unauthenticated traceback disclosure via global exception handler in WebUI

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in 0.5.0b3.dev100.

Published: 2026-05-11

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Prior to version 0.5.0b3.dev100, the pyload-ng WebUI displays full Python traceback details when an unhandled exception occurs. The publicly exposed /web/<path:filename> endpoint permits unauthenticated users to supply arbitrary template names, allowing the attacker to easily trigger a server error. The resulting HTTP response contains internal stack traces that may reveal sensitive data such as file paths, configuration values, or internal logic. This flaw is classified as CWE-209, an information exposure through an error message issue, and can help an attacker gain insight into the backend environment.

Affected Systems

The vulnerable product is pyload, the open‑source download manager, specifically any release prior to 0.5.0b3.dev100. Users of these earlier versions should note that the vulnerability affects the WebUI component exposed without authentication.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been actively exploited in the wild. The attack path is straightforward: an unauthenticated request to a non‑existent template triggers the error handler and returns the stack trace. Because no special privileges or zero‑day conditions are required, the exploitation likelihood is relatively high for anyone who can reach the WebUI endpoint.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pyload

affected

Version	Status	Constraints
`< 0.5.0b3.dev100`	affected	—

No data.

Vendor Product Confidence Versions

Pyload

100%

Version	Status	Scheme	Platform
`[0,0.5.0b3.dev100)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pyload to version 0.5.0b3.dev100 or later, where the traceback disclosure has been fixed.
If an upgrade is not immediately possible, restrict unauthenticated access to the /web/ endpoint, for example by requiring authentication or limiting network exposure through a reverse proxy or firewall rules.
Review the application’s error handling settings to ensure that raw tracebacks or detailed exception information are not returned to clients in future releases.

Generated by OpenCVE AI on May 11, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-c3gc-9pf2-84gg	PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg

History

Mon, 11 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pyload Pyload pyload
Vendors & Products		Pyload Pyload pyload

Mon, 11 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in 0.5.0b3.dev100.
Title		pyLoad: Unauthenticated traceback disclosure via global exception handler in WebUI
Weaknesses		CWE-209
References		https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Pyload Pyload

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T16:36:35.156Z

Updated: 2026-05-11T18:27:05.705Z

Reserved: 2026-05-05T15:42:40.518Z

Link: CVE-2026-44226

Vulnrichment

Updated: 2026-05-11T18:26:59.566Z

NVD

Status : Received

Published: 2026-05-11T18:16:37.807

Modified: 2026-05-11T19:16:25.767

Link: CVE-2026-44226

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T18:45:25Z

Weaknesses

CWE-209

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object