Arbitrary Code Injection Affecting pyload-ng package, versions [,0.5.0b3.dev90)

Q: How to fix?

Upgrade pyload-ng to version 0.5.0b3.dev90 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Injection vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PYTHON-PYLOADNG-11343420
published31 Jul 2025
disclosed30 Jul 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 30 Jul 2025

NewCWE-94 (opens in a new tab)

How to fix?

Upgrade pyload-ng to version 0.5.0b3.dev90 or higher.

Overview

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Arbitrary Code Injection via improper handling of the add_name parameter in the /json/add_package API endpoint. An attacker can inject arbitrary log entries by submitting input containing newline characters, which are not properly escaped, allowing manipulation of the application's log files.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None