Vulnerability Description
pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pyload | Pyload | <= 0.4.20 |
| Pyload-Ng Project | Pyload-Ng | >= 0.5.0a5.dev528, < 0.5.0b3.dev97 |
Related Weaknesses (CWE)
References
- https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pwExploitMitigationVendor Advisory
- https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pwExploitMitigationVendor Advisory
FAQ
What is CVE-2026-33511?
CVE-2026-33511 is a vulnerability with a CVSS score of 9.8 (CRITICAL). pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by an...
How severe is CVE-2026-33511?
CVE-2026-33511 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-33511?
Check the references section above for vendor advisories and patch information. Affected products include: Pyload Pyload, Pyload-Ng Project Pyload-Ng.