CVE-2026-33511
Received Received - Intake
HTTP Host Header Bypass in pyLoad Enables Remote Code Execution

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33511
EUVD
EUVD-2026-15001
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pyload pyload to 0.4.20 (inc)
pyload-ng_project pyload-ng From 0.5.0a5.dev528 (inc) to 0.5.0b3.dev97 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33511 is a critical authentication bypass vulnerability in the ClickNLoad feature of pyLoad, a Python-based download manager. The issue arises because the local_check decorator, which is supposed to restrict access to certain endpoints to localhost only, improperly validates the HTTP Host header. It uses an OR condition between the client's IP address and the Host header, but the Host header can be spoofed by a remote attacker."}, {'type': 'paragraph', 'content': 'By sending requests with a spoofed Host header set to a localhost address, an attacker can bypass the localhost restriction despite originating from a remote IP. This allows unauthenticated remote users to access endpoints that should be restricted, enabling them to inject arbitrary downloads, write files to the storage directory, execute JavaScript code, and access sensitive information.'}, {'type': 'paragraph', 'content': 'The vulnerability affects pyLoad versions from 0.4.20 up to but not including 0.5.0b3.dev97, where it has been patched by removing the vulnerable Host header check and relying solely on the trusted client IP address.'}] [1]

Impact Analysis

This vulnerability can have several serious impacts if exploited:

  • Attackers can inject arbitrary download URLs into your download queue without authentication.
  • They can write arbitrary .dlc files to the storage directory, potentially leading to disk space exhaustion or malicious file placement.
  • Attackers can execute JavaScript code within the sandboxed MiniRacer environment, which poses a security risk.
  • Sensitive information such as version details and supported URLs can be disclosed to attackers.
  • Overall, the vulnerability can lead to malware infection, unauthorized file manipulation, information disclosure, and denial of service conditions.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring HTTP requests to the ClickNLoad endpoints of pyLoad for suspicious Host header values that spoof localhost addresses such as '127.0.0.1:9666' or '[::1]:9666'. Requests with these spoofed Host headers that receive HTTP 200 OK responses instead of HTTP 403 Forbidden indicate a successful bypass attempt."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can use network monitoring tools or web server logs to filter requests targeting the vulnerable endpoints with suspicious Host headers.'}, {'type': 'list_item', 'content': 'Use curl to test if the server accepts spoofed Host headers: curl -H "Host: 127.0.0.1:9666" http://<pyload-server>/flash/add -v'}, {'type': 'list_item', 'content': 'Check web server or application logs for requests to endpoints like /flash/add, /flash/addcrypted, /flash/addcrypted2, /flashgot, /flash/checkSupportForUrl, /crossdomain.xml, or /jdcheck.js with Host headers set to localhost IPs.'}, {'type': 'list_item', 'content': 'Use network packet capture tools (e.g., tcpdump or Wireshark) to filter HTTP traffic containing suspicious Host headers targeting the pyLoad server.'}] [1]

Mitigation Strategies

Immediate mitigation steps include updating pyLoad to version 0.5.0b3.dev97 or later, where the vulnerability has been patched by removing the insecure Host header check and relying solely on the trusted remote IP address for authorization.

If updating is not immediately possible, you should:

  • Implement network-level filtering to block incoming requests with Host headers spoofing localhost addresses.
  • Restrict access to the ClickNLoad endpoints to trusted IP addresses or localhost only via firewall or reverse proxy rules.
  • Add authentication mechanisms to the ClickNLoad endpoints to prevent unauthorized access.
  • Apply rate limiting to these endpoints to reduce the risk of abuse.
  • Enable logging and monitor failed and suspicious access attempts for early detection.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33511. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart