CVE-2026-44226 | THREATINT

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in 0.5.0b3.dev100.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-11 | Updated 2026-05-11 | Assigner GitHub_M

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-209: Generation of Error Message Containing Sensitive Information

Product status

< 0.5.0b3.dev100

affected

References

github.com/...pyload/security/advisories/GHSA-c3gc-9pf2-84gg exploit

github.com/...pyload/security/advisories/GHSA-c3gc-9pf2-84gg

cve.org (CVE-2026-44226)

nvd.nist.gov (CVE-2026-44226)

Download JSON