What is the CVSS score of CVE-2024-21644?

CVE-2024-21644 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 86.5%.

Which versions of Python are affected by CVE-2024-21644?

Organizations using pyLoad face notable risk from CVE-2024-21644, a improper access control vulnerability rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2024-21644?

Yes, a public proof-of-concept exploit is available for CVE-2024-21644. Prioritise patching immediately. EPSS: 86.5%.

How to fix or mitigate CVE-2024-21644?

Within 30 days: Identify all affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Python CVE-2024-21644

HIGH

Improper Access Control (CWE-284)

2024-01-08 security-advisories@github.com

Authentication Bypass Python Pyload

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:34 vuln.today

Patch released

Mar 28, 2026 - 19:34 nvd

Patch available

PoC Detected

Nov 21, 2024 - 08:54 vuln.today

Public exploit code

CVE Published

Jan 08, 2024 - 14:15 nvd

HIGH 7.5

DescriptionGitHub Advisory

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRET_KEY variable. This issue has been patched in version 0.5.0b3.dev77.

AnalysisAI

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint. Attackers can extract this key to forge session cookies, impersonate the administrator, and execute arbitrary code through pyLoad's plugin system.

Technical ContextAI

A specific URL path in pyLoad's web interface returns the full Flask application configuration without requiring authentication. The exposed data includes the SECRET_KEY used for signing session cookies. With this key, an attacker can forge a valid session cookie for any user including the administrator. pyLoad's admin interface allows plugin installation and script execution.

RemediationAI

Update to pyLoad 0.5.0b3.dev77 or later. Regenerate the SECRET_KEY after patching. Never expose pyLoad's web interface to the internet without additional authentication layers. Review installed plugins for unauthorized additions.

More from same product – last 7 days

CVE-2026-48039 CRITICAL Act Now POC

9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac

CVE-2026-20251 HIGH This Week

8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL Act Now

9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co

CVE-2026-45833 CRITICAL Act Now

9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

CVE-2024-21644 vulnerability details – vuln.today

Back

Python CVE-2024-21644

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code