CVE-2026-44226
Information Disclosure in pyLoad WebUI
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload | pyload | to 0.5.0b3.dev100 (exc) |
| pyload | pyload-ng | to 0.5.0b3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to obtain detailed internal server information, including Python traceback details, source paths, and exception metadata. Such information disclosure can increase the risk of further attacks that may lead to unauthorized access or data breaches.
Exposure of sensitive internal details may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system security to prevent unauthorized disclosure.
However, the vulnerability itself does not directly disclose personal or protected health information, but it weakens the security posture by revealing implementation details that could be leveraged in attacks compromising compliance.
Can you explain this vulnerability to me?
CVE-2026-44226 is a vulnerability in pyload-ng versions up to 0.5.0b3 that allows unauthenticated information disclosure via the WebUI.
The issue occurs because the WebUI's global exception handler returns full Python traceback details to clients when unhandled exceptions occur.
An attacker can exploit this by sending a request to the unauthenticated `/web/<path:filename>` route with a non-existent template name, triggering an exception.
The server then includes the internal stack trace, source paths, and exception metadata in the HTTP response, exposing sensitive implementation details.
This vulnerability was fixed in version 0.5.0b3.dev100.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive internal information about the pyload-ng server, such as stack traces, source code paths, and exception details.
Such information disclosure can aid attackers in understanding the internal workings of the application, potentially making it easier to find and exploit other vulnerabilities.
The vulnerability has a medium severity CVSS score of 5.3 due to its low attack complexity and the fact that no privileges or user interaction are required to exploit it.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending HTTP requests to the unauthenticated `/web/<path:filename>` route of the pyload-ng WebUI with non-existent template names. If the server responds with full Python traceback details, including internal stack traces and exception metadata, the system is vulnerable.
A simple detection command using curl could be:
- curl -i http://<target-ip-or-host>/web/nonexistent_template
If the HTTP response contains Python traceback information or detailed error messages, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade pyload-ng to version 0.5.0b3.dev100 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, consider restricting access to the `/web/<path:filename>` route by implementing network-level controls such as firewall rules or web server access restrictions to prevent unauthenticated access.