We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-55156

PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter



Description

pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.

Reserved 2025-08-07 | Published 2025-08-11 | Updated 2025-08-11 | Assigner GitHub_M


HIGH: 7.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

< 0.5.0b3.dev91
affected

References

github.com/...pyload/security/advisories/GHSA-pwh4-6r3m-j2rf

github.com/...ommit/134edcdf6e2a10c393743c254da3d9d90b74258f

github.com/...elop/src/pyload/core/database/file_database.py

cve.org (CVE-2025-55156)

nvd.nist.gov (CVE-2025-55156)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-55156

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.