CVE-2026-44226
Received Received - Intake
Information Disclosure in pyLoad WebUI

Publication date: 2026-05-11

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response. This vulnerability is fixed in 0.5.0b3.dev100.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-18
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-44226
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pyload pyload to 2026-04-13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44226 is a vulnerability in pyload-ng versions up to 0.5.0b3 that allows unauthenticated information disclosure via the WebUI.

The issue occurs because the WebUI's global exception handler returns full Python traceback details to clients when unhandled exceptions occur.

An attacker can exploit this by sending a request to the unauthenticated `/web/<path:filename>` route with a non-existent template name, triggering an exception.

The server then includes the internal stack trace, source paths, and exception metadata in the HTTP response, exposing sensitive implementation details.

This vulnerability was fixed in version 0.5.0b3.dev100.

Impact Analysis

This vulnerability can impact you by exposing sensitive internal information about the pyload-ng server, such as stack traces, source code paths, and exception details.

Such information disclosure can aid attackers in understanding the internal workings of the application, potentially making it easier to find and exploit other vulnerabilities.

The vulnerability has a medium severity CVSS score of 5.3 due to its low attack complexity and the fact that no privileges or user interaction are required to exploit it.

Detection Guidance

This vulnerability can be detected by sending HTTP requests to the unauthenticated `/web/<path:filename>` route of the pyload-ng WebUI with non-existent template names. If the server responds with full Python traceback details, including internal stack traces and exception metadata, the system is vulnerable.

A simple detection command using curl could be:

  • curl -i http://<target-ip-or-host>/web/nonexistent_template

If the HTTP response contains Python traceback information or detailed error messages, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade pyload-ng to version 0.5.0b3.dev100 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, consider restricting access to the `/web/<path:filename>` route by implementing network-level controls such as firewall rules or web server access restrictions to prevent unauthenticated access.

Compliance Impact

This vulnerability allows unauthenticated attackers to obtain detailed internal server information, including Python traceback details, source paths, and exception metadata. Such information disclosure can increase the risk of further attacks that may lead to unauthorized access or data breaches.

Exposure of sensitive internal details may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system security to prevent unauthorized disclosure.

However, the vulnerability itself does not directly disclose personal or protected health information, but it weakens the security posture by revealing implementation details that could be leveraged in attacks compromising compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart