CVE-2025-55156: 
Python vulnerability analysis and mitigation

CVE-2025-55156 affects pyLoad, a free and open-source Download Manager written in Python. The vulnerability was discovered on August 11, 2025, in versions prior to 0.5.0b3.dev91. The issue resides in the parameter add_links in API /json/add_package which is vulnerable to SQL Injection (GitHub Advisory).

The vulnerability exists in the update_link_info method within file_database.py where user input from the add_links parameter is directly concatenated into an SQL query without proper sanitization. The vulnerability chain flows through multiple components including json_blueprint.py#add_package, api/init.py#add_package, and file_manager.py#add_links. The issue has been assigned a CVSS v4.0 score of 7.8 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P and is classified as CWE-89 (SQL Injection) (NVD, GitHub Advisory).

The SQL injection vulnerability allows attackers to modify or delete data in the database, potentially causing data errors or loss. The attack vector requires no user interaction and can be executed remotely, making it particularly dangerous for exposed installations (GitHub Advisory).

The vulnerability has been patched in version 0.5.0b3.dev91. The fix involves implementing parameterized queries instead of string concatenation for SQL statements. Users are strongly advised to upgrade to the patched version. The fix includes replacing the vulnerable string concatenation with proper SQL parameter binding (GitHub Commit).