pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-639"
],
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "0.4.20"
},
{
"fixed": "0.5.0b3.dev97"
}
]
},
{
"source": "DESCRIPTION",
"extracted_events": [
{
"fixed": "0.5.0b3.dev97"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33511.json"
}{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.20"
}
]
}