CVE-2026-46561 is a Server-Side Request Forgery (SSRF) vulnerability in pyLoad, a free and open-source Python download manager. The flaw exists in versions prior to 0.5.0b3.dev100, where the PREREQFUNCTION-based private IP address validation was not applied to HTTPRequest, which is used by the parse_urls API. An authenticated attacker can exploit this by supplying a URL pointing to an attacker-controlled [truncated]
A stored cross-site scripting (XSS) vulnerability exists in pyLoad, a free and open-source Python download manager. Prior to version 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML without escaping, then writes the result to the DOM via $(div).html(html). An attacker [truncated]
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeove [truncated]
CVE-2026-44226 is an unauthenticated information-disclosure issue in pyLoad/pyload-ng WebUI. If the WebUI is reachable, an attacker can trigger an unhandled exception through the unauthenticated /web/<path:filename> route and receive full Python traceback details in the HTTP response. The issue is fixed in 0.5.0b3.dev100.