Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $(div).html(html). No escaping runs between the API value and innerHTML. An attacker (Alice) who can submit a package link puts a single quote plus event handler into the URL, breaks out of the attribute, and executes JavaScript in every operator's browser that opens the downloads view. The theme does not set a Content Security Policy that restricts inline script or event handlers. This vulnerability is fixed in 0.5.0b3.dev100.
Published: 2026-05-28
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when a link URL stored by a user is interpolated into a template literal that is then wrapped in single‑quoted HTML and written to the DOM with $(div).html(html). Because no escaping is performed, an attacker who can submit a package link can insert a single quote followed by an event handler or arbitrary script, breaking out of the attribute context and executing code in the browser each time the Downloads view is loaded.

Affected Systems

Installing pyLoad before version 0.5.0b3.dev100 and using the modern theme exposes this flaw. Any installation that allows users to submit package links will store URLs that can be later rendered in the Downloads view, making the vulnerability applicable to all systems running the affected code base.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity flaw. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to submit a malicious package link; once the link is stored, all users who open the Downloads view will receive arbitrary JavaScript execution in their browser context, potentially granting an attacker full control of the client environment.

Generated by OpenCVE AI on May 28, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pyLoad to version 0.5.0b3.dev100 or later to remove the unsanitized interpolation.
  • Restrict package link submissions to trusted users and validate or sanitize URLs before storing them.
  • Implement a strict Content Security Policy on the downloads page that blocks inline scripts and event handler attributes.

Generated by OpenCVE AI on May 28, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fcjq-435v-jx94 pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal
History

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Thu, 28 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $(div).html(html). No escaping runs between the API value and innerHTML. An attacker (Alice) who can submit a package link puts a single quote plus event handler into the URL, breaks out of the attribute, and executes JavaScript in every operator's browser that opens the downloads view. The theme does not set a Content Security Policy that restricts inline script or event handlers. This vulnerability is fixed in 0.5.0b3.dev100.
Title pyLoad: Stored XSS in Downloads view via unsanitized link URL in packages.js template literal
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Pyload Pyload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T18:51:28.477Z

Reserved: 2026-05-11T21:40:08.177Z

Link: CVE-2026-45348

cve-icon Vulnrichment

Updated: 2026-05-28T18:50:58.168Z

cve-icon NVD

Status : Received

Published: 2026-05-28T18:16:35.437

Modified: 2026-05-28T20:16:24.857

Link: CVE-2026-45348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T20:30:25Z

Weaknesses