PYSEC-2026-498
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-498.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2026-498
- Aliases
- Published
- 2026-06-29T11:50:44.189733Z
- Modified
- 2026-06-29T12:15:41.603930824Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Code Injection in pyload-ng
- Details
-
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-0297
- https://github.com/pyload/pyload/commit/7d73ba7919e594d783b3411d7ddb87885aea782d
- https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65
- http://packetstormsecurity.com/files/171096/pyLoad-js2py-Python-Execution.html
- http://packetstormsecurity.com/files/172914/PyLoad-0.5.0-Remote-Code-Execution.html
- https://pypi.org/project/pyload-ng
- https://github.com/advisories/GHSA-pf38-5p22-x6h6
Affected packages
PyPI / pyload-ng
Package
- Name
- pyload-ng
- View open source insights on deps.dev
- Purl
- pkg:pypi/pyload-ng
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.5.0b3.dev31
Affected versions
0.*
0.5.0a5.dev528
0.5.0a5.dev532
0.5.0a5.dev535
0.5.0a5.dev536
0.5.0a5.dev537
0.5.0a5.dev539
0.5.0a5.dev540
0.5.0a5.dev545
0.5.0a5.dev562
0.5.0a5.dev564
0.5.0a5.dev565
0.5.0a6.dev570
0.5.0a6.dev578
0.5.0a6.dev587
0.5.0a7.dev596
0.5.0a8.dev602
0.5.0a9.dev615
0.5.0a9.dev629
0.5.0a9.dev632
0.5.0a9.dev641
0.5.0a9.dev643
0.5.0a9.dev655
0.5.0a9.dev806
0.5.0b1.dev1
0.5.0b1.dev2
0.5.0b1.dev3
0.5.0b1.dev4
0.5.0b1.dev5
0.5.0b2.dev9
0.5.0b2.dev10
0.5.0b2.dev11
0.5.0b2.dev12
0.5.0b3.dev13
0.5.0b3.dev14
0.5.0b3.dev17
0.5.0b3.dev18
0.5.0b3.dev19
0.5.0b3.dev20
0.5.0b3.dev21
0.5.0b3.dev22
0.5.0b3.dev24
0.5.0b3.dev26
0.5.0b3.dev27
0.5.0b3.dev28
0.5.0b3.dev29
0.5.0b3.dev30