PyLoad vulnerable to SQL Injection via API /json/add_package in add

7.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Description

pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.

Basic Information

ID CVE-2025-55156

Source GitHub_M

Published Aug 11, 2025 at 22:21

Affected Product

Vendor pyload

Product pyload

Version < 0.5.0b3.dev91

Affected Versions pyload pyload < 0.5.0b3.dev91

CWE Classification

CWE-89

References

{
    "lastseen": "",
    "description": "pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.",
    "published": "2025-08-11T22:21:52.225Z",
    "modified": "2025-08-11T22:21:52.225Z",
    "type": "cve",
    "title": "PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter",
    "source": "GitHub_M",
    "references": "https://github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf\nhttps://github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f\nhttps://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271",
    "id": "CVE-2025-55156",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "pyload pyload < 0.5.0b3.dev91",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pyload",
    "version": "< 0.5.0b3.dev91",
    "vendor": "pyload",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter_CVE-2025-55156