HarborGuard / CVE
Back to search
HIGHCVE-2026-45348Published Modified CNA GitHub_M

CVE-2026-45348: pyLoad: Stored XSS in Downloads view via unsanitized link URL in packages.js template literal

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $(div).html(html). No escaping runs between the API value and innerHTML. An attacker (Alice) who can submit a package link puts a single quote plus event handler into the URL, breaks out of the attribute, and executes JavaScript in every operator's browser that opens the downloads view. The theme does not set a Content Security Policy that restricts inline script or event handlers. This vulnerability is fixed in 0.5.0b3.dev100.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting (XSS) in pyLoad's download manager allows a low-privileged attacker to inject arbitrary JavaScript into the downloads view. The vulnerability is reachable over the network and requires only a low-privilege account to plant the malicious payload; a separate victim (such as an operator) must then open the downloads view in their browser to trigger execution. Successful exploitation gives the attacker full script execution in the victim's browser session, enabling credential theft, session hijacking, and unauthorized actions on behalf of the victim. No fix version has been published upstream; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle pyLoad. Any image running a pyLoad version below 0.5.0b3.dev100 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.7 HIGH and weights it against each environment's compliance policy, surfacing it to the appropriate team inbox within the customer org. Per-environment policy configuration controls whether the finding is treated as a blocking issue in CI pipelines or routed as a high-priority advisory.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version appears.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the pyLoad web interface over the network to submit a malicious package link.

  • AuthenticationRequired

    Any low-privilege account with permission to submit package links is sufficient; no administrative credentials are needed.

  • Victim interactionRequired

    A separate victim (such as a pyLoad operator) must open the downloads view in their browser to trigger execution of the injected script.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; breaking out of the HTML attribute requires only standard quoting and no special environmental factors.

Blast Radius

  • The injected script executes in the victim operator's browser session, giving the attacker access to session tokens and authentication cookies for that user.
  • The attacker can read any data visible in the pyLoad web UI under the victim's account, including package contents, links, and configuration.
  • The attacker can perform any action the victim operator is authorized to take, including adding, modifying, or deleting download packages and links.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for this CVE, HarborGuard continuously monitors the advisory and will surface a patched-image rebuild the moment a fix version is published upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR against affected workloads will be triggered automatically at that point. In the meantime, recommended compensating controls include restricting access to the pyLoad web interface via network policy to prevent untrusted users from submitting package links, applying egress filtering on containers running pyLoad, and considering a web application firewall rule that blocks submissions of URLs containing inline event-handler patterns. Where compliance policy permits, HarborGuard can flag any pipeline build that includes an affected pyLoad image as a blocking failure until the upstream patch is available.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.7
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • pyload / pyload
    < 0.5.0b3.dev100
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
References