Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97.
AnalysisAI
Authenticated privilege escalation in pyLoad's WebUI JSON endpoints (/json/package_order, /json/link_order, /json/abort_link) allows low-privileged users to perform unauthorized MODIFY operations that violate the application's permission model. Versions prior to 0.5.0b3.dev97 are affected; the vulnerability requires valid authentication but enables privilege boundary bypass without requiring elevated credentials.
Technical ContextAI
pyLoad is a Python-based download manager that implements a permission-based access control model to restrict user actions based on privilege levels. The vulnerability exists in the WebUI JSON API layer, where three specific endpoints fail to enforce the same authorization checks that the underlying core API methods require. This represents a classic authorization bypass (CWE-863: Incorrect Authorization) where client-facing API endpoints do not properly validate user privileges before delegating to protected operations. The permission enforcement gap allows authenticated users with lower privilege levels to invoke operations restricted to higher-privilege users, bypassing the application's intended authorization boundaries.
RemediationAI
Upgrade pyLoad to version 0.5.0b3.dev97 or later, which includes the authorization enforcement fix for the vulnerable JSON endpoints. Users unable to upgrade immediately should restrict network access to pyLoad's WebUI to trusted networks only, or disable the affected endpoints if they are not required for normal operations. Review access logs for any suspicious activity from low-privileged accounts targeting /json/package_order, /json/link_order, or /json/abort_link endpoints. The vendor advisory at https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm contains additional context and upgrade instructions.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20998