CVE-2026-33511

Name of the Vulnerable Software and Affected Versions pyLoad versions 0.4.20 through 0.5.0b3.dev96

Description pyLoad, a download manager written in Python, contains a flaw in its ClickNLoad feature. The local check decorator can be circumvented through HTTP Host header spoofing. This allows unauthenticated remote attackers to access endpoints restricted to localhost. Successful exploitation enables attackers to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code.

Recommendations Update to version 0.5.0b3.dev97 or later.