Safety vulnerability ID: 78703
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Affected versions of the pyload-ng package are vulnerable to SQL Injection due to unsanitized concatenation of user-controlled input into a database query. The /json/add_package API path propagates the add_links parameter to src/pyload/core/database/file_database.py:update_link_info, which constructs a comma-separated list of URLs and interpolates it directly into SELECT id FROM links WHERE url IN ('{statuses}') rather than using parameterised placeholders, allowing crafted values to alter the SQL syntax. An authenticated attacker can send a POST request to /json/add_package with a malicious add_links value that terminates the string literal and injects arbitrary SQL, enabling modification or deletion of database records and causing data loss and service disruption in pyload-ng.
Latest version: 0.5.0b3.dev92
The free and open-source Download Manager written in pure Python
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application