Auth bypass in Pyload

CVE-2026-33511

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host hea…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.002 (41.0th percentile) — read the EPSS interpretation.

Affected products

Pyload — versions >= 0.4.20, < 0.5.0b3.dev97

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw (x_refsource_CONFIRM)