logo

Database

Technical information leak In pyload-ng

Description

PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI

Summary

pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions.

Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response.

Details

The issue is caused by the combination of:

    Unauthenticated template-render route:

    src/pyload/webui/app/blueprints/app_blueprint.py:32-36

      @bp.route("/web/<path:filename>", endpoint="web")

      data = render_template(filename) with user-controlled filename

      no @login_required(...) on this route

    Global exception handler exposes traceback to response:

    src/pyload/webui/app/handlers.py:14-27

      tb = traceback.format_exc()

      messages.extend(tb.split('\n'))

      returned in rendered error page for all exceptions

    Error page renders all messages:

    src/pyload/webui/app/themes/modern/templates/base.html:217-219

      loops over messages and prints them in response HTML

So any unhandled exception can disclose internal implementation details (stack frames, source paths, exception metadata) to remote unauthenticated clients.

This is a core behavior issue in default WebUI error handling

PoC

#!/usr/bin/env python3
from __future__ import annotations

import re
import shutil
import tempfile
import traceback
from pathlib import Path...

Observed result:

unauth_web_route= True
user_controlled_template_name= True
handler_uses_traceback= True
handler_appends_trace= True
global_exception_handler= True
template_renders_messages= True
leaked_traceback_keyword= True
leaked_exception_type= True...

Impact

    Vulnerability type: Information disclosure (stack trace / internal path leakage).

    Attack surface: unauthenticated WebUI request path.

    Exposes internal error details that help attackers map application internals and improve exploit reliability for follow-on attacks.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-442262. NVD-2026-442263. OSV-2026-442264. GHSA-c3gc-9pf2-84gg5. GCVE-2026-44226

References

1. https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.