CVE-2026-45348

HIGH 8.7

pyLoad: Stored XSS in Downloads view via unsanitized link URL in packages.js template literal

CVSS Score

8.7

EPSS Score

0.0%

EPSS Percentile

0th

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $(div).html(html). No escaping runs between the API value and innerHTML. An attacker (Alice) who can submit a package link puts a single quote plus event handler into the URL, breaks out of the attribute, and executes JavaScript in every operator's browser that opens the downloads view. The theme does not set a Content Security Policy that restricts inline script or event handlers. This vulnerability is fixed in 0.5.0b3.dev100.

CWE	CWE-79
Vendor	pyload
Product	pyload
Published	May 28, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for pyload pyload

Be the first to know when new high vulnerabilities affecting pyload pyload are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

pyload / pyload

< 0.5.0b3.dev100

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pyload/pyload/security/advisories/GHSA-fcjq-435v-jx94