CVE-2025-61773: 
Python vulnerability analysis and mitigation

pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint in versions prior to 0.5.0b3.dev91. This vulnerability (CVE-2025-61773) was discovered and disclosed on October 9, 2025. The flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability affected the pyload-ng package distributed through pip (GitHub Advisory).

The vulnerability stems from two main issues: First, user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. Second, the CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. The weakness types identified include CWE-79 (Cross-site Scripting), CWE-116 (Improper Encoding), CWE-94 (Code Injection), and CWE-74 (Injection) (GitHub Advisory).

Exploiting this vulnerability allows an attacker to inject and execute arbitrary JavaScript within the browser session of a user accessing the pyLoad Web UI. An attacker could impersonate an administrator, steal authentication cookies or tokens, and perform unauthorized actions on behalf of the victim. The impact is particularly severe when the Web UI is exposed over a network without additional access restrictions, as it enables remote attackers to directly target users with crafted links or requests (GitHub Advisory).

The vulnerability has been patched in version 0.5.0b3.dev91. The fix includes strengthening input validation in the captcha script and CNL Blueprint by implementing proper sanitization of user input and adding origin validation for message handling. The patch uses werkzeug.utils.secure_filename for sanitizing user-supplied package names and implements explicit whitelisting of trusted origins for message processing (GitHub Commit).