8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-61773

GHSA ID

GHSA-cjjf-27cc-pvmv

EPSS Score

CWE

CWE-74

Published

10/9/2025

Updated

10/9/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61773

CVE-2025-61773: pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters

Summary

pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted.

user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow. CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests.

PoC

Run a vulnerable version of pyLoad prior to commit f9d27f2.
Start the web UI and access the Captcha or CNL endpoints.
Submit a crafted request containing malicious JavaScript payloads in unvalidated parameters (/flash/addcrypted2?jk=function(){alert(1)}&crypted=12345).
Observe that the payload is reflected and executed in the client’s browser, demonstrating cross-site scripting (XSS).

Example request:

GET /flash/addcrypted2?jk=function(){alert(1)}&crypted=12345 HTTP/1.1
Host: 127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
Content-Length: 107

Impact

Exploiting this vulnerability allows an attacker to inject and execute arbitrary JavaScript within the browser session of a user accessing the pyLoad Web UI. In practice, this means an attacker could impersonate an administrator, steal authentication cookies or tokens, and perform unauthorized actions on behalf of the victim. Because the affected endpoints are part of the core interface, a successful attack undermines the trust and security of the entire application, potentially leading to a full compromise of the management interface and the data it controls. The impact is particularly severe in cases where the Web UI is exposed over a network without additional access restrictions, as it enables remote attackers to directly target users with crafted links or requests that trigger the vulnerability.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-61773

CVE-2025-61773:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-61773

GHSA ID

GHSA-cjjf-27cc-pvmv

EPSS Score

CWE

CWE-74

Published

10/9/2025

Updated

10/9/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pyload-ng	pip	< 0.5.0b3.dev91	0.5.0b3.dev91

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability analysis identified two primary weaknesses in the pyLoad web interface. The first is a path traversal vulnerability in the Click'N'Load (CNL) blueprint, and the second is a cross-site scripting (XSS) vulnerability in the interactive captcha handler.

Path Traversal in CNL Blueprint (cnl_blueprint.addcrypted): The addcrypted function in src/pyload/webui/app/blueprints/cnl_blueprint.py was responsible for handling encrypted links. It took a package parameter from the user's request and used it to create a .dlc file. The vulnerability existed because the package parameter was not sanitized, allowing an attacker to use directory traversal characters (../) to control the location where the file was saved. This could lead to arbitrary file creation on the server. The patch addresses this by using werkzeug.utils.secure_filename to sanitize the input, ensuring that the filename is safe to use.
XSS in Captcha Handler (window.addEventListener): The captcha-interactive.user.js script, which manages interactive captchas, used window.addEventListener to listen for messages from a parent window. The vulnerability was that the script did not verify the origin of these messages. A malicious website could embed the pyLoad captcha page in an iframe and send it a crafted message, which would then be executed in the context of the pyLoad web UI. This could lead to session hijacking or other malicious actions. The patch mitigates this by checking if the message origin is in a list of trusted origins before processing it.

By exploiting these vulnerabilities, an attacker could either write files to arbitrary locations on the server or execute malicious scripts in a user's browser, leading to a compromise of the pyLoad instance.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-61773: pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters

Summary

PoC

Impact

CVE-2025-61773:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Basic Information

Basic Information

CVE-2025-61773: pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters

Summary

PoC

Impact

Technical Details

8.1

8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-61773: pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters

Summary

PoC

Impact

CVE-2025-61773:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2025-61773: pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters

Summary

PoC

Impact

Technical Details

8.1

8.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI