CVE-2026-33511

CriticalPublic PoC

Published: 24 March 2026

Published

24 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated…

remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by identifying, reporting, and applying the patch to the local_check decorator flaw in pyLoad version 0.5.0b3.dev97.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent bypass of localhost-restricted endpoints through HTTP Host header spoofing.

SC-7 Boundary Protection partial match

prevent

Monitors and controls communications at system boundaries to block or filter remote requests spoofing internal Host headers targeting restricted endpoints.

Security SummaryAI

CVE-2026-33511 affects pyLoad, a free and open-source download manager written in Python. The vulnerability resides in the local_check decorator within the ClickNLoad feature, which can be bypassed via HTTP Host header spoofing. It impacts versions from 0.4.20 up to but not including 0.5.0b3.dev97, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-639 (Authorization Bypass Through User-Controlled Key).

Any unauthenticated remote attacker can exploit this issue by spoofing the HTTP Host header to access endpoints restricted to localhost. Successful exploitation grants the ability to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code, potentially leading to full compromise of the affected pyLoad instance.

The GitHub security advisory (GHSA-g5j2-gxqh-x7pw) confirms the issue has been patched in pyLoad version 0.5.0b3.dev97, recommending users upgrade to this or later versions to mitigate the vulnerability.

Details

CWE(s): CWE-639

Affected Products

pyload

≤ 0.4.20

pyload-ng project

pyload-ng

0.5.0a5.dev528 — 0.5.0b3.dev97

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote exploitation of a public-facing web application (pyLoad download manager) via HTTP Host header spoofing to bypass localhost restrictions, granting arbitrary file writes and code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com
https://github.com/pyload/pyload/security/advisories/GHSA-g5j2-gxqh-x7pw
Exploit, Mitigation, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0