GHSA-3wwm-hjv7-23r3: Pyload log Injection via API /json/add_package in add_name parameter

July 30, 2025

A log injection vulnerability was identified in pyload in API /json/add_package. This vulnerability allows user with add packages permission to inject arbitrary messages into the logs gathered by pyload.

References

github.com/advisories/GHSA-3wwm-hjv7-23r3
github.com/pyload/pyload
github.com/pyload/pyload/commit/ddf8a48b83aaf36052b08732c424cffcf9ffccca
github.com/pyload/pyload/security/advisories/GHSA-3wwm-hjv7-23r3

Code Behaviors & Features

Detect and mitigate GHSA-3wwm-hjv7-23r3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →