CVE-2026-33511CRITICAL 9.8EPSS p33.6%

CVE-2026-33511CVE-2026-33511

Description

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.42% probability of exploitation · percentile 33.6% · 2026-06-18T12:00:27Z
Published2026-03-24
Last modified2026-03-26

Underlying weaknesses· 1

CWE-639

References

  1. https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw
  2. https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw

1

TypeTargetConfidenceTier
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35459
CVE
CVE-2026-35463
CVE
CVE-2026-42313
CVE
CVE-2026-33509
CVE
CVE-2025-61773
CVE
CVE-2025-53890
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.