Improper String/Integer Input Validation Leads to the Crashing of Site in pyload/pyload


Reported on

Jan 5th 2023


If you give the string input in the Start/End time field, then the application will stop working.

Proof of Concept

  1. Go to "Settings->General-Reconnection"
  2. Change activated to "on"
  3. On every input fields place any string for example put: "test"
  4. Click on save and refresh
  5. The application will crash

Fix: rm ~/.pyload/settings/pyload.cfg or editing pyload.cfg.


We can crash the application. Changing it with CSRF could lead to leveraging more paths to launch this attack.

We are processing your report and will contact the pyload team within 24 hours. 9 months ago
We have contacted a member of the pyload team and are waiting to hear back 8 months ago
pyload/pyload maintainer validated this vulnerability 8 months ago
Kiran Ghimire has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev40 with commit a2b1eb 8 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
pyload/pyload maintainer published this vulnerability 8 months ago
to join this conversation