CVE-2025-55156 | THREATINT

Description

pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.

PUBLISHED Reserved 2025-08-07 | Published 2025-08-11 | Updated 2025-08-12 | Assigner GitHub_M

HIGH: 7.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

< 0.5.0b3.dev91

affected

References

github.com/...pyload/security/advisories/GHSA-pwh4-6r3m-j2rf

github.com/...ommit/134edcdf6e2a10c393743c254da3d9d90b74258f

github.com/...elop/src/pyload/core/database/file_database.py

cve.org (CVE-2025-55156)

nvd.nist.gov (CVE-2025-55156)

Download JSON