CVE-2025-53890

CRITICAL EPSS 62.7%
Published Jul 15, 202511mo ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Jul 15, 2025 11mo ago
Last Modified Jun 17, 2026 1w ago

Description

pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
62.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

References 3

  • github.com https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546
  • github.com https://github.com/pyload/pyload/pull/4586
  • github.com https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.