CVE-2025-54802

Name of the Vulnerable Software and Affected Versions pyLoad versions 0.5.0b3.dev89 and below

Description pyLoad is a free and open-source Download Manager written in pure Python. A path traversal vulnerability exists in the pyLoad-ng CNL Blueprint via the package parameter, allowing arbitrary file write and potentially leading to Remote Code Execution (RCE). The /addcrypted endpoint in pyload-ng is susceptible to an unsafe path construction vulnerability, enabling unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be exploited to overwrite critical system files, such as cron jobs and systemd services, resulting in privilege escalation and remote code execution as root.

Recommendations Update to version 0.5.0b3.dev90.