PT-2026-60372 · Pypi · Cyberdrop-Dl-Patched

CVE-2026-54254

·

Published

2026-07-15

·

Updated

2026-07-15

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

When processing Pixeldrain URLs, cyberdrop-dl-patched could send an Authorization header that includes the user's API key to unverified hosts.

Details

Pixeldrain offers several alternative domains in case the user's ISP blocks the primary domain. To support this, requests made by cyberdrop-dl-patched are not hardcoded and will use the same host as the input URL for API requests.
cyberdrop-dl-patched matches URLs to a crawler based on their host. If the host contains a crawler's supported host as a sub-string, it will match to that crawler.
An URL from a malicious domain (ex: https://evil-pixeldrain.com) would successfully match to the Pixeldrain crawler and cyberdrop-dl-patched will blindly use that host for any API request (https://evil-pixeldrain.com/api), leaking the user's API key to the malicious actor via the Authorization header.

Impact

Anyone who has setup a Pixeldrain API key with cyberdrop-dl-patched and uses cyberdrop-dl-patched on sites that could spawn downloads for other sites (ex: forums, Wordpress, Pixeldrain itself, etc...)

Patches

cyberdrop-dl-patched v9.14.0 fixes this issue by rejecting any Pixedrain URL if the host does not match an official domain exactly .

Workarounds

It's recommended to upgrade cyberdrop-dl-patched to version v9.14.0
Anyone who has used a Pixeldrain API key with cyberdrop-dl-patched should consider them compromised and delete them from their Pixeldrain account.

Fix

Information Disclosure

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54254
GHSA-F5PF-Q7C7-M3VV

Affected Products

Cyberdrop-Dl-Patched