CVE-2026-44226: PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI

May 6, 2026

pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions.

Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response.

References

github.com/advisories/GHSA-c3gc-9pf2-84gg
github.com/pyload/pyload
github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg
nvd.nist.gov/vuln/detail/CVE-2026-44226

Code Behaviors & Features

Detect and mitigate CVE-2026-44226 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →