HIGH 8.7

CVE-2026-45348: Stored XSS in pyLoad Web Interface – Upgrade to 0.5.0b3.dev100

pyLoad is a popular open-source download manager. A vulnerability in its web interface allows attackers to inject malicious JavaScript code. If someone with access to submit download links injects code into a URL, that code executes in the browser of any operator viewing the downloads list. This happens because the application inserts the URL directly into the page without sanitizing it, and the modern theme lacks security policies that would block inline scripts. The vulnerability affects all versions before 0.5.0b3.dev100.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $(div).html(html). No escaping runs between the API value and innerHTML. An attacker (Alice) who can submit a package link puts a single quote plus event handler into the URL, breaks out of the attribute, and executes JavaScript in every operator's browser that opens the downloads view. The theme does not set a Content Security Policy that restricts inline script or event handlers. This vulnerability is fixed in 0.5.0b3.dev100.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the packages.js template file within pyLoad's modern web theme. Specifically, at line 172, a stored package link URL is interpolated into a template literal string and then written to the DOM via jQuery's html() method. The application fails to escape or sanitize the URL value before insertion into single-quoted HTML attributes. Because the URL is user-controlled and can contain special characters, an attacker can inject a single quote followed by an event handler (e.g., ' onclick='malicious_code') to break out of the attribute context and execute arbitrary JavaScript. The absence of a Content Security Policy that restricts inline scripts or event handlers allows this injected code to run with full application privileges in the operator's session.

Business impact

Operators using pyLoad's web interface are vulnerable to session hijacking, credential theft, and malicious action on their behalf. An attacker could steal authentication tokens, modify download queues, access sensitive files, or pivot to connected systems. Since the vulnerability requires an authenticated attacker to submit a malicious link, the threat is elevated within organizations or communities where multiple users upload or share download links. The impact spans confidentiality and integrity but not availability.

Affected systems

All pyLoad installations prior to version 0.5.0b3.dev100 are affected. The vulnerability is specific to the modern web theme; other themes or alternative frontends may not be vulnerable if they handle URL escaping differently. Users who have upgraded to 0.5.0b3.dev100 or later are protected.

Exploitability

The attack requires low privileges—specifically, the ability to submit or modify a package link. This could be a legitimate user, a collaborator, or an external actor with limited upload permissions. User interaction is necessary: an operator must navigate to the downloads view to trigger the payload. The attack surface is the web interface accessible over the network. No special exploit tools or knowledge are required beyond basic JavaScript injection syntax. Overall exploitability is moderate to high in shared or semi-public deployments.

Remediation

Upgrade pyLoad to version 0.5.0b3.dev100 or later. This version fixes the vulnerability by properly escaping URL values before interpolation into the DOM. Organizations unable to upgrade immediately should restrict web interface access to trusted networks, disable the modern theme in favor of alternatives if available, and enforce strict access controls on users who can submit or edit download links.

Patch guidance

Update pyLoad to 0.5.0b3.dev100 or a subsequent stable release. Before patching, verify the current version installed. Most deployments using package managers (pip, Docker, etc.) can update with standard commands. After upgrade, restart the pyLoad service and verify the web interface loads correctly. Test functionality with existing download packages to ensure no regressions. If using a custom or forked version, backport the fix from the official repository or wait for your maintainer to merge the upstream patch.

Detection guidance

Monitor web server logs for unusual URL patterns in requests to the packages endpoint, particularly those containing JavaScript syntax or special characters (quotes, parentheses, keywords like 'onclick' or 'onerror'). Log or alert on any JavaScript errors in the browser console when the downloads view is opened. Use SIEM tools to correlate web interface access patterns with suspicious activity. Endpoint detection tools may flag unexpected script execution or network connections initiated from the pyLoad web process. Review stored package links periodically for injected payloads, though most will execute and not persist in storage.

Why prioritize this

This vulnerability merits prompt patching due to its HIGH CVSS score (8.7), stored XSS nature, and impact on operator security. Any authenticated user can trigger the flaw, making it practical to exploit in multi-user environments. The fix is available and straightforward to deploy. Delaying remediation leaves all operators exposed to session hijacking and account compromise.

Risk score, explained

The CVSS 3.1 score of 8.7 reflects a network-accessible vulnerability (AV:N) that requires only low privileges (PR:L) but does need user interaction to trigger (UI:R). The scope is changed (S:C), meaning the impact extends beyond the vulnerable component to the entire web application and operator's session. Confidentiality and integrity are both high (C:H, I:H), but availability is not affected (A:N). The score appropriately captures the serious but not system-wide nature of the threat.

Frequently asked questions

Can an unauthenticated attacker exploit this?

No. The vulnerability requires the ability to submit or modify a package link, which implies some level of access to the application. However, in open deployments or where registration is unrestricted, this bar is low.

Does the vulnerability allow remote code execution on the server?

No. The vulnerability is a stored cross-site scripting (XSS) flaw that executes JavaScript in the operator's browser, not on the pyLoad server itself. However, the attacker's code runs with the privileges of the logged-in operator's session.

What if I'm running pyLoad offline or on a local network only?

Risk is significantly reduced in isolated deployments with few users and strong access controls, but the vulnerability still exists. An internal attacker or compromised account could still exploit it. Upgrading remains the safest approach.

Are there workarounds if I cannot upgrade immediately?

Temporarily restrict web interface access to trusted IPs, disable or replace the modern theme if alternatives are available, and enforce strong authentication. These reduce but do not eliminate risk; upgrading is the only complete fix.

This analysis is based on published CVE data and the official vulnerability description. Verify all patch version numbers and compatibility against the pyLoad official repository and release notes before deploying. The information provided is for informational purposes and does not constitute professional security advice. Consult your security team and vendor documentation for your specific environment. No exploit code is provided; this summary is for defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).