PYSEC-2026-496

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-496.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-496
Aliases
Published
2026-06-29T11:50:37.278367Z
Modified
2026-07-01T20:23:02.916755Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
pyLoad vulnerable to XSS through insecure CAPTCHA
Details

Summary

An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce.

Details

The vulnerable code resides in

function onCaptchaResult(result) {
    eval(result); // Direct execution of attacker-controlled input
}
  • The onCaptchaResult() function directly passes CAPTCHA results (sent from the user) into eval()
  • No sanitization or validation is performed on this input
  • A malicious CAPTCHA result can include JavaScript such as fetch() or child_process.exec() in environments using NodeJS
    • Attackers can fully hijack sessions and pivot to remote code execution on the server if the environment allows it

Reproduction Methods

  1. Official Source Installation:

    git clone https://github.com/pyload/pyload
    cd pyload
    git checkout 0.4.20
    python -m pip install -e .
    pyload --userdir=/tmp/pyload
    
    
  2. Virtual Environment:

    python -m venv pyload-env
    source pyload-env/bin/activate
     pip install pyload==0.4.20
    pyload
    

CAPTCHA Endpoint Verification

Technical Clarification:
1. The vulnerable endpoint is actually:

/interactive/captcha
   

  1. Complete PoC Request:

    POST /interactive/captcha HTTP/1.1
    Host: localhost:8000
    Content-Type: application/x-www-form-urlencoded
    
    cid=123&response=1%3Balert(document.cookie)
    
  2. Curl Command Correction:

    curl -X POST "http://localhost:8000/interactive/captcha" \
      -d "cid=123&response=1%3Balert(document.cookie)"
    ```
    
    
    1. **Vulnerable Code Location**:  
       The eval() vulnerability is confirmed in:
     
    

    src/pyload/webui/app/static/js/captcha-interactive.user.js ```

Resources

  1. https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546
    1. OWASP: Avoid eval()
    2. #4586
References

Affected packages

PyPI / pyload-ng

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.20

Affected versions

0.*
0.5.0a5.dev528
0.5.0a5.dev532
0.5.0a5.dev535
0.5.0a5.dev536
0.5.0a5.dev537
0.5.0a5.dev539
0.5.0a5.dev540
0.5.0a5.dev545
0.5.0a5.dev562
0.5.0a5.dev564
0.5.0a5.dev565
0.5.0a6.dev570
0.5.0a6.dev578
0.5.0a6.dev587
0.5.0a7.dev596
0.5.0a8.dev602
0.5.0a9.dev615
0.5.0a9.dev629
0.5.0a9.dev632
0.5.0a9.dev641
0.5.0a9.dev643
0.5.0a9.dev655
0.5.0a9.dev806
0.5.0b1.dev1
0.5.0b1.dev2
0.5.0b1.dev3
0.5.0b1.dev4
0.5.0b1.dev5
0.5.0b2.dev9
0.5.0b2.dev10
0.5.0b2.dev11
0.5.0b2.dev12
0.5.0b3.dev13
0.5.0b3.dev14
0.5.0b3.dev17
0.5.0b3.dev18
0.5.0b3.dev19
0.5.0b3.dev20
0.5.0b3.dev21
0.5.0b3.dev22
0.5.0b3.dev24
0.5.0b3.dev26
0.5.0b3.dev27
0.5.0b3.dev28
0.5.0b3.dev29
0.5.0b3.dev30
0.5.0b3.dev31
0.5.0b3.dev32
0.5.0b3.dev33
0.5.0b3.dev34
0.5.0b3.dev35
0.5.0b3.dev38
0.5.0b3.dev39
0.5.0b3.dev40
0.5.0b3.dev41
0.5.0b3.dev42
0.5.0b3.dev43
0.5.0b3.dev44
0.5.0b3.dev45
0.5.0b3.dev46
0.5.0b3.dev47
0.5.0b3.dev48
0.5.0b3.dev49
0.5.0b3.dev50
0.5.0b3.dev51
0.5.0b3.dev52
0.5.0b3.dev53
0.5.0b3.dev54
0.5.0b3.dev57
0.5.0b3.dev60
0.5.0b3.dev62
0.5.0b3.dev64
0.5.0b3.dev65
0.5.0b3.dev66
0.5.0b3.dev67
0.5.0b3.dev68
0.5.0b3.dev69
0.5.0b3.dev70
0.5.0b3.dev71
0.5.0b3.dev72
0.5.0b3.dev73
0.5.0b3.dev74
0.5.0b3.dev75
0.5.0b3.dev76
0.5.0b3.dev77
0.5.0b3.dev78
0.5.0b3.dev79
0.5.0b3.dev80
0.5.0b3.dev81
0.5.0b3.dev82
0.5.0b3.dev85
0.5.0b3.dev87
0.5.0b3.dev88
0.5.0b3.dev89
0.5.0b3.dev90
0.5.0b3.dev91
0.5.0b3.dev92
0.5.0b3.dev93
0.5.0b3.dev94
0.5.0b3.dev95
0.5.0b3.dev96
0.5.0b3.dev97
0.5.0b3.dev98
0.5.0b3.dev99
0.5.0b3.dev100

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-496.yaml"