CVE-2025-55156: PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
The parameter add_links in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage.
References
- github.com/advisories/GHSA-pwh4-6r3m-j2rf
- github.com/pyload/pyload
- github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py
- github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f
- github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf
- nvd.nist.gov/vuln/detail/CVE-2025-55156
Code Behaviors & Features
Detect and mitigate CVE-2025-55156 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →