CVE-2025-53890: pyLoad vulnerable to XSS through insecure CAPTCHA

July 15, 2025

An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce.

References

github.com/advisories/GHSA-8w3f-4r8f-pf53
github.com/pyload/pyload
github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546
github.com/pyload/pyload/pull/4586
github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53
nvd.nist.gov/vuln/detail/CVE-2025-53890

Code Behaviors & Features

Detect and mitigate CVE-2025-53890 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →