Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33314

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): Low (L)

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

pyload-ng: Improper Authentication and Origin Validation Error

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97.

References

https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r x_refsource_CONFIRM

Affected products

pyload

==< 0.5.0b3.dev97

Matching in nixpkgs

pkgs.pyload-ng

Free and open-source download manager with support for 1-click-hosting sites

nixos-unstable 0.5.0b3.dev88
- nixpkgs-unstable 0.5.0b3.dev88
- nixos-unstable-small 0.5.0b3.dev88
nixos-25.11 0.5.0b3.dev88
- nixos-25.11-small 0.5.0b3.dev88
- nixpkgs-25.11-darwin 0.5.0b3.dev88

pkgs.python312Packages.pyloadapi

Simple wrapper for pyLoad's API

nixos-25.11 1.4.2
- nixos-25.11-small 1.4.2
- nixpkgs-25.11-darwin 1.4.2

pkgs.python313Packages.pyloadapi

Simple wrapper for pyLoad's API

nixos-unstable 1.4.2
- nixpkgs-unstable 1.4.2
- nixos-unstable-small 1.4.2
nixos-25.11 1.4.2
- nixos-25.11-small 1.4.2
- nixpkgs-25.11-darwin 1.4.2

pkgs.python314Packages.pyloadapi

Simple wrapper for pyLoad's API

nixos-unstable 1.4.2
- nixpkgs-unstable 1.4.2
- nixos-unstable-small 1.4.2

pkgs.home-assistant-component-tests.pyload

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.pyload

Open source home automation that puts local control and privacy first

nixos-unstable 2026.3.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.3.3

Package maintainers

@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@ruby0b ruby0b

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.pyload-ng

pkgs.python312Packages.pyloadapi

pkgs.python313Packages.pyloadapi

pkgs.python314Packages.pyloadapi

pkgs.home-assistant-component-tests.pyload

pkgs.tests.home-assistant-component-tests.pyload

Package maintainers