Tag

Pyload

3 briefs RSS

PyLoad Path Traversal Vulnerability in set_package_data

PyLoad versions 0.5.0b3.dev99 and earlier are vulnerable to a path traversal vulnerability in the `set_package_data` function, allowing attackers to write files to arbitrary directories with the privileges of the PyLoad process.

pyload-ng path-traversal web-application pyload

2r 1t May 6, 2026

high advisory

pyLoad Privilege Escalation Vulnerability (CVE-2026-41133)

2 rules 1 TTP 1 CVE

pyLoad versions up to 0.5.0b3.dev97 cache user roles and permissions in the session, leading to privilege escalation even after an admin revokes privileges.

pyLoad privilege-escalation CVE-2026-41133

2r 1t 1c Apr 22, 2026

critical advisory

pyLoad Arbitrary Code Execution via Malicious Session Deserialization

2 rules 4 TTPs 1 CVE 2 IOCs

pyLoad is vulnerable to arbitrary code execution via an unprotected `storage_folder` configuration option, allowing an attacker with `SETTINGS` and `ADD` permissions to write a malicious pickle payload to the Flask session store and execute arbitrary code upon subsequent HTTP requests.

pyLoad rce pickle deserialization webserver

2r 4t 1c 2i Apr 4, 2026