CVE-2026-33511

HIGH EPSS 33.8%

Published Mar 24, 20263mo ago · Modified Jun 17, 20261w ago

8.8 CVSS 4.0

High

Published Mar 24, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.

CVSS Details

Base Score

8.8

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

33.8% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-639

Affected Products 2

Vendor	Product	Version	Range
pyload	pyload	*	≤0.4.20
pyload-ng_project	pyload-ng	*	≥0.5.0a5.dev528 – <0.5.0b3.dev97

References 1

github.com https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw

ExploitMitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.