CVE-2025-55156

pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.

CVSS

No CVSS.

References

Link	Resource
https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271
https://github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f
https://github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf

Configurations

No configuration.

History

12 Aug 2025, 14:25

Type	Values Removed	Values Added
Summary		(es) pyLoad es un gestor de descargas gratuito y de código abierto escrito en Python puro. Antes de la versión 0.5.0b3.dev91, el parámetro add_links en la API /json/add_package era vulnerable a la inyección de SQL. Los atacantes pueden modificar o eliminar datos de la base de datos, lo que provoca errores o pérdida de datos. Este problema se ha corregido en la versión 0.5.0b3.dev91.

11 Aug 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-11 23:15

Updated : 2025-08-12 14:25

NVD link : CVE-2025-55156

Mitre link : CVE-2025-55156

CVE.ORG link : CVE-2025-55156

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-55156", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-11T23:15:26.850", "references": [{"url": "https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271", "source": "security-advisories@github.com"}, {"url": "https://github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f", "source": "security-advisories@github.com"}, {"url": "https://github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91."}, {"lang": "es", "value": "pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto escrito en Python puro. Antes de la versi\u00f3n 0.5.0b3.dev91, el par\u00e1metro add_links en la API /json/add_package era vulnerable a la inyecci\u00f3n de SQL. Los atacantes pueden modificar o eliminar datos de la base de datos, lo que provoca errores o p\u00e9rdida de datos. Este problema se ha corregido en la versi\u00f3n 0.5.0b3.dev91."}], "lastModified": "2025-08-12T14:25:33.177", "sourceIdentifier": "security-advisories@github.com"}