CVE-2026-33511
Published: 24 March 2026
Summary
CVE-2026-33511 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Pyload Pyload. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by identifying, reporting, and applying the patch to the local_check decorator flaw in pyLoad version 0.5.0b3.dev97.
Enforces approved authorizations to prevent bypass of localhost-restricted endpoints through HTTP Host header spoofing.
Monitors and controls communications at system boundaries to block or filter remote requests spoofing internal Host headers targeting restricted endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote exploitation of a public-facing web application (pyLoad download manager) via HTTP Host header spoofing to bypass localhost restrictions, granting arbitrary file writes and code execution, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated…
more
remote users to access localhost-restricted endpoints, enabling them to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. This issue has been patched in version 0.5.0b3.dev97.
Deeper analysisAI
CVE-2026-33511 affects pyLoad, a free and open-source download manager written in Python. The vulnerability resides in the local_check decorator within the ClickNLoad feature, which can be bypassed via HTTP Host header spoofing. It impacts versions from 0.4.20 up to but not including 0.5.0b3.dev97, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-639 (Authorization Bypass Through User-Controlled Key).
Any unauthenticated remote attacker can exploit this issue by spoofing the HTTP Host header to access endpoints restricted to localhost. Successful exploitation grants the ability to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code, potentially leading to full compromise of the affected pyLoad instance.
The GitHub security advisory (GHSA-g5j2-gxqh-x7pw) confirms the issue has been patched in pyLoad version 0.5.0b3.dev97, recommending users upgrade to this or later versions to mitigate the vulnerability.
Details
- CWE(s)