{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33511", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:59:08.890Z", "datePublished": "2026-03-24T18:56:08.886Z", "dateUpdated": "2026-03-25T14:28:19.605Z"}, "containers": {"cna": {"title": "pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": ">= 0.4.20, < 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:56:08.886Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97."}], "source": {"advisory": "GHSA-g5j2-gxqh-x7pw", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:59:02.731679Z", "id": "CVE-2026-33511", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:28:19.605Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33511", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:59:02.731679Z"}}}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:59:15.826Z"}}], "cna": {"title": "pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad", "source": {"advisory": "GHSA-g5j2-gxqh-x7pw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"status": "affected", "version": ">= 0.4.20, < 0.5.0b3.dev97"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:56:08.886Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33511", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:28:19.605Z", "dateReserved": "2026-03-20T16:59:08.890Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T18:56:08.886Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "matchCriteriaId": "DACFA9B5-22AD-4BC6-87D5-8272FF49BD56", "versionEndIncluding": "0.4.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "matchCriteriaId": "FCF4830F-E848-4F80-AB82-2040E219E677", "versionEndExcluding": "0.5.0b3.dev97", "versionStartIncluding": "0.5.0a5.dev528", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97."}, {"lang": "es", "value": "pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto escrito en Python. Desde la versi\u00f3n 0.4.20 hasta antes de la versi\u00f3n 0.5.0b3.dev97, el decorador local_check en la funci\u00f3n ClickNLoad de pyLoad puede ser eludido por cualquier atacante remoto mediante la suplantaci\u00f3n del encabezado Host HTTP. Esto permite a usuarios remotos no autenticados acceder a puntos finales restringidos a localhost, permiti\u00e9ndoles inyectar descargas arbitrarias, escribir archivos en el directorio de almacenamiento y ejecutar c\u00f3digo JavaScript. Este problema ha sido parcheado en la versi\u00f3n 0.5.0b3.dev97."}], "id": "CVE-2026-33511", "lastModified": "2026-03-26T20:29:49.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:30.203", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0.4.20,0.5.0b3.dev97)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-03-26T21:32:59.849557+00:00", "value": {"mitigation_remediation": ["Upgrade pyLoad to version 0.5.0b3.dev97 or later."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass and Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the pyLoad download manager from versions 0.4.20 up to, but not including, 0.5.0b3.dev97. The affected product is the open\u2011source pyLoad application.", "description_and_impact": "A flaw in pyLoad\u2019s ClickNLoad feature permits an unauthenticated attacker to override the local_check decorator by sending a request with a forged HTTP Host header. This bypass opens localhost\u2011restricted endpoints, allowing the attacker to inject arbitrary downloads, write files to the storage directory, and run JavaScript code, effectively enabling remote code execution on the target system.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.8, indicating high severity, and a very low EPSS score of less than 1%, suggesting the likelihood of public exploitation is minimal. The vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that a remote attacker can exploit the issue by sending a crafted HTTP request with a spoofed Host header to the server, thereby gaining unauthenticated access to restricted endpoints."}}}}, "created": "2026-03-25T11:46:25.771311+00:00", "updated": "2026-03-27T09:20:41.201190+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}