CVE-2026-45348
Deferred Deferred - Pending Action
Stored XSS in pyLoad Download Manager via Malicious Package Link

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $(div).html(html). No escaping runs between the API value and innerHTML. An attacker (Alice) who can submit a package link puts a single quote plus event handler into the URL, breaks out of the attribute, and executes JavaScript in every operator's browser that opens the downloads view. The theme does not set a Content Security Policy that restricts inline script or event handlers. This vulnerability is fixed in 0.5.0b3.dev100.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-45348
EUVD
EUVD-2026-32957
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pyload pyload to 0.5.0b3.dev100 (exc)
pyload pyload-ng to 0.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45348 is a stored cross-site scripting (XSS) vulnerability in the pyload-ng package, affecting versions up to 0.5.0. The issue occurs because user-submitted package link URLs are inserted into a JavaScript template without proper escaping. This allows an attacker with permission to add packages to inject malicious JavaScript code by including event handlers in the URL.

When an administrator or other user views the Downloads page, the injected script executes in their browser, potentially stealing session cookies or performing other malicious actions. The vulnerability is persistent and does not require further interaction beyond visiting the affected page.

The root cause is the lack of HTML escaping in the template and the absence of a Content Security Policy that restricts inline scripts or event handlers.

Impact Analysis

This vulnerability can lead to unauthorized code execution in the browsers of users who view the affected Downloads page.

  • An attacker can steal session cookies, potentially hijacking user sessions.
  • Malicious scripts could perform actions on behalf of the user, leading to data theft or manipulation.
  • If an administrator's session is compromised, it could lead to remote code execution or further system compromise.
Detection Guidance

This vulnerability can be detected by checking for the presence of malicious JavaScript code injected into the Downloads page of pyLoad, specifically in the package link URLs that are rendered without proper escaping.

Since the attack involves stored cross-site scripting (XSS), detection involves inspecting the HTML content of the Downloads page (e.g., /collector or /queue) for suspicious event handlers or script injections in package links.

You can also monitor HTTP traffic to the Downloads page for unusual script tags or event handlers embedded in URLs.

  • Use browser developer tools to inspect the DOM elements on the Downloads page for injected event handlers like 'onmouseover' in package links.
  • Run a command-line HTTP request to fetch the Downloads page and grep for suspicious patterns, for example:
  • curl -s http://<pyload-server>/collector | grep -E "onmouseover|onerror|onclick"
  • Check the pyLoad package database or configuration for any package links containing single quotes or event handler attributes.
Mitigation Strategies

The immediate mitigation steps include upgrading pyLoad to version 0.5.0b3.dev100 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, restrict user permissions to prevent attackers from submitting malicious package links, specifically limiting users with 'Perms.ADD' privileges.

Implement a strict Content Security Policy (CSP) header that disallows inline scripts and event handlers to reduce the risk of script execution.

Sanitize or escape all user-submitted package link URLs before rendering them in the web interface to prevent injection.

Monitor and audit package submissions for suspicious content and remove any malicious entries.

Compliance Impact

This vulnerability allows an attacker to execute malicious JavaScript in the browsers of operators who view the affected downloads page, potentially leading to unauthorized access to sensitive data such as session cookies.

Such unauthorized access and potential data theft can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

The lack of proper input sanitization and absence of a strict Content Security Policy (CSP) contribute to the risk of data exposure, which can result in non-compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45348. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart