CVE-2026-44226 Pyload CVE debrief

Who should care

Administrators and operators of pyLoad or pyload-ng deployments, especially instances with the WebUI exposed on internal networks or the public internet. Security teams should also review any reverse proxies or access controls in front of the WebUI.

Technical summary

According to the NVD record and the linked GitHub security advisory, pyLoad versions before 0.5.0b3.dev100 leak full Python traceback details when the WebUI encounters an unhandled exception. The /web/<path:filename> endpoint is reachable without authentication and accepts attacker-influenced template names, so a remote unauthenticated user can reliably provoke an error and observe internal stack-trace output. NVD classifies the weakness as CWE-209 (generation of error message containing sensitive information).

Defensive priority

Medium priority: patch promptly if the WebUI is reachable, because the issue is unauthenticated and remote, but it is limited to information disclosure rather than code execution or integrity impact.

Recommended defensive actions

• Upgrade pyLoad/pyload-ng to 0.5.0b3.dev100 or later.
• Restrict access to the WebUI with network controls if it does not need to be publicly reachable.
• Verify that reverse proxies, authentication layers, and firewall rules prevent unauthenticated access to /web/ endpoints.
• Check logs for repeated requests that may indicate probing of the unauthenticated template path.
• Review any exposed traceback content for secrets or internal environment details that may have been disclosed before patching.

Evidence notes

The debrief is based on the official CVE record, the NVD entry, and the linked GitHub advisory. NVD shows the vulnerability status as analyzed, the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, and the weakness mapping as CWE-209. The CVE was published on 2026-05-11 and the NVD record was modified on 2026-05-18; these dates are used only as publication/timeline context.

Official resources