PT-2026-41178 · Pyload+1 · Pyload+1
Adrgs
·
Published
2026-05-14
·
Updated
2026-05-28
·
CVE-2026-45348
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
pyLoad versions prior to 0.5.0b3.dev100
Description
An issue exists where the
packages.js template interpolates stored link URLs into a template literal within single-quoted HTML and writes the result to the DOM using the $(div).html(html) function. Because no escaping occurs between the API value and innerHTML, an attacker can submit a package link containing a single quote and an event handler to break out of the attribute and execute arbitrary JavaScript in the browser of any operator who opens the downloads view. This is further enabled by the lack of a Content Security Policy (CSP) to restrict inline scripts or event handlers.Technical details include:
- API Endpoints:
/api/get package data(returns stored URLs),/api/add package(stores attacker-supplied links), and/flash/add(allows unauthenticated network attackers to reach the same sink when ClickNLoad is enabled). - Vulnerable Parameters or Variables:
link.url,link.name,link.statusmsg,link.error,link.format size,link.plugin,link.icon, andlink.id.
Recommendations
Update to version 0.5.0b3.dev100.
As a temporary mitigation, restrict access to the
/api/add package and /flash/add endpoints to trusted users only.
Implement a strict Content Security Policy (CSP) such as default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self' to block inline event handlers.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pyload
Pyload-Ng