Cyber Resilience

CVE-2024-39205

Critical

Published: 28 October 2024

Published
28 October 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8392 99.3th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39205 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-39205 is a remote code execution vulnerability affecting pyload-ng version 0.5.0b3.dev85 when running under Python 3.11 or earlier. The flaw permits arbitrary code execution through a specially crafted HTTP request and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated attacker can send a malicious HTTP request to the affected pyload-ng instance and obtain arbitrary code execution on the underlying host, resulting in full confidentiality, integrity, and availability impact.

Public references include a proof-of-concept repository, the upstream pyload project, and the GitHub Security Advisory GHSA-r9pp-r4xf-597r that documents the issue. The associated EPSS score stands at 0.8392 with an identical recorded peak, indicating sustained high exploitation probability since disclosure.

EU & UK References

Vulnerability details

An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References