{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33511", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:59:08.890Z", "datePublished": "2026-03-24T18:56:08.886Z", "dateUpdated": "2026-03-25T14:28:19.605Z"}, "containers": {"cna": {"title": "pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": ">= 0.4.20, < 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:56:08.886Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97."}], "source": {"advisory": "GHSA-g5j2-gxqh-x7pw", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:59:02.731679Z", "id": "CVE-2026-33511", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:28:19.605Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33511", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:59:02.731679Z"}}}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:59:15.826Z"}}], "cna": {"title": "pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad", "source": {"advisory": "GHSA-g5j2-gxqh-x7pw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"status": "affected", "version": ">= 0.4.20, < 0.5.0b3.dev97"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:56:08.886Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33511", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:28:19.605Z", "dateReserved": "2026-03-20T16:59:08.890Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T18:56:08.886Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "matchCriteriaId": "DACFA9B5-22AD-4BC6-87D5-8272FF49BD56", "versionEndIncluding": "0.4.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "matchCriteriaId": "FCF4830F-E848-4F80-AB82-2040E219E677", "versionEndExcluding": "0.5.0b3.dev97", "versionStartIncluding": "0.5.0a5.dev528", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97."}, {"lang": "es", "value": "pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto escrito en Python. Desde la versi\u00f3n 0.4.20 hasta antes de la versi\u00f3n 0.5.0b3.dev97, el decorador local_check en la funci\u00f3n ClickNLoad de pyLoad puede ser eludido por cualquier atacante remoto mediante la suplantaci\u00f3n del encabezado Host HTTP. Esto permite a usuarios remotos no autenticados acceder a puntos finales restringidos a localhost, permiti\u00e9ndoles inyectar descargas arbitrarias, escribir archivos en el directorio de almacenamiento y ejecutar c\u00f3digo JavaScript. Este problema ha sido parcheado en la versi\u00f3n 0.5.0b3.dev97."}], "id": "CVE-2026-33511", "lastModified": "2026-03-26T20:29:49.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:30.203", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0.4.20,0.5.0b3.dev97)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-03-24T21:37:03.681720+00:00", "value": {"mitigation_remediation": ["Upgrade pyLoad to version 0.5.0b3.dev97 or later."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Remote Code Execution via Host Header Injection"}, "threat_synthesis": {"affected_systems": "All pyLoad releases from version 0.4.20 up to, but not including, 0.5.0b3.dev97 are affected. The vulnerability is limited to the ClickNLoad feature served via HTTP on the local machine.", "description_and_impact": "The flaw lies in a missing guard in pyLoad\u2019s ClickNLoad module. By sending a crafted HTTP Host header, an attacker can reach endpoints that are intended to be protected for localhost only. This bypass opens the door for arbitrary download job creation, file writes to the storage directory, and injection of JavaScript that can be executed on the server. The root weakness is an authorization bypass caused by trusting an unverified request header, classified as CWE\u2011639.", "risk_and_exploitability": "The CVSS base score of 8.8 marks high severity. A current EPSS score is not available, and the issue is not listed in any official exploitation catalogues. Exploitation requires only the ability to send a crafted HTTP request to the pyLoad service; no authentication or elevated privileges are needed. Consequently, anyone who can reach the service\u2019s port can fully exploit the vulnerability."}}}}, "created": "2026-03-25T11:46:25.771311+00:00", "updated": "2026-03-25T20:57:51.198093+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}