PatchSiren cyber security CVE debrief
CVE-2026-45348 pyload CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in pyLoad, a free and open-source Python download manager. Prior to version 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML without escaping, then writes the result to the DOM via $(div).html(html). An attacker with the ability to submit a package link can inject a single quote and event handler into the URL, break out of the attribute context, and execute JavaScript in the browser of any operator who opens the downloads view. The modern theme does not implement a Content Security Policy that would restrict inline scripts or event handlers. This vulnerability was published on 2026-05-28 and carries a CVSS 3.1 score of 8.7 (HIGH).
- Vendor
- pyload
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running pyLoad download manager instances with the modern web UI theme, particularly multi-user deployments where untrusted users can submit download links. Security teams should prioritize patching due to the HIGH severity score and the potential for session hijacking or administrative action on behalf of authenticated operators.
Technical summary
The vulnerability exists in the modern theme's packages.js template where stored link URLs are interpolated into template literals and written to the DOM via jQuery's .html() method without escaping. An attacker can craft a malicious package link containing a single quote to break out of the HTML attribute context and inject an event handler (e.g., onclick, onerror) that executes arbitrary JavaScript when the downloads view is rendered. The absence of a restrictive Content Security Policy allows these inline event handlers to execute. The attack requires the attacker to have permission to submit package links, and victim operators must open the downloads view. The fix in 0.5.0b3.dev100 addresses the improper neutralization of input during web page generation (CWE-79).
Defensive priority
HIGH
Recommended defensive actions
- Upgrade pyLoad to version 0.5.0b3.dev100 or later to remediate the stored XSS vulnerability
- Review and implement a Content Security Policy that restricts inline scripts and event handlers for the web UI
- Audit all templates in src/pyload/webui/app/themes/ for similar unescaped interpolations into HTML or JavaScript contexts
- Apply context-appropriate output encoding when inserting user-controlled data into HTML, JavaScript, or URL contexts
- Consider using safer DOM manipulation methods that do not parse HTML, or ensure proper sanitization before .html() calls
Evidence notes
Vulnerability description confirms stored XSS via unescaped URL interpolation in packages.js template, DOM insertion via jQuery .html(), and absence of CSP protections. CVSS vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N indicates network attack vector, low attack complexity, low privileges required, user interaction required, changed scope, high confidentiality and integrity impact.
Official resources
-
CVE-2026-45348 CVE record
CVE.org
-
CVE-2026-45348 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28