Impact
pyLoad is a self-hosted downloader commonly run on servers, NAS devices, or automation hosts. The public advisories track CVE-2024-47821 / GHSA-w7hq-f2pj-c53g as command-injection risk in affected pyLoad releases before 0.5.0b3.dev87 [S1][S2]. The upstream advisory context includes a privileged settings prerequisite, so practical exposure depends on who can administer or configure the pyLoad instance and whether the UI/API is reachable by untrusted users [S2][S3].
Affected dependency evidence
GitHub Advisory lists the PyPI package pyload-ng as affected before 0.5.0b3.dev87 and patched at 0.5.0b3.dev87 [S1]. NVD tracks the issue as CWE-78 and carries both CNA and NVD scoring context for CVE-2024-47821 [S2]. PyPI package metadata confirms the patched pyload-ng release line is available for dependency upgrades [S4].
Covered by FixVibe
FixVibe GitHub repo scans check authorized repository snapshots for Python dependency manifest and lockfile evidence that pyload-ng can resolve to the affected range. Findings are version-based advisory evidence: FixVibe reports the file path, detected version or constraint, advisory IDs, fixed version, confidence, and remediation guidance.
The scan does not run pyLoad, send /flashgot requests, change pyLoad settings, make the target download files, write to script directories, trigger script execution, authenticate to pyLoad, or claim command execution from dependency evidence alone.
Fix
Upgrade pyload-ng to 0.5.0b3.dev87 or newer, regenerate the active Python lockfile, and rebuild every pyLoad host, worker, virtualenv, package cache, or container image that installs it. Keep the pyLoad UI/API restricted to trusted users or trusted networks, review download-folder and script-execution settings, and inspect logs if an affected instance was exposed before patching. Rerun the FixVibe GitHub repo scan after the runtime and lockfile are updated.
