CVE-2026-33511
pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.
| CWE | CWE-639 |
| Vendor | pyload |
| Product | pyload |
| Published | Mar 24, 2026 |
| Last Updated | Mar 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for pyload pyload
Be the first to know when new unknown vulnerabilities affecting pyload pyload are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
pyload / pyload
>= 0.4.20, < 0.5.0b3.dev97