CVE-2025-53890

Published Jul 15, 2025

Last updated 3 days ago

CVSS critical 9.8

Overview

Description
pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-94

Social media

Hype score
Not currently trending

  1. Warning: A critical unsafe JavaScript evaluation vulnerability in @pyload allows unauthenticated remote attackers to execute arbitrary code in the browser and potentially on the server #RCE. CVE-2025-53890 with CVSS 9.8 demands urgent action. #Patch https://t.co/nIFz3rE91G

    @CCBalert

    15 Jul 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-53890 Unauthenticated Remote Code Execution in pyLoad Download Manager https://t.co/ZXWE1SaEFH

    @VulmonFeeds

    15 Jul 2025

    80 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-53890 pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthentic… https://t.co/AJTY4b1UTu

    @CVEnew

    15 Jul 2025

    599 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [CVE-2025-53890: CRITICAL] Critical vulnerability in pyload Download Manager allows attackers to execute arbitrary code. Update to version 0.5.0b3.dev89 with patch 909e5c97885237530d1 to stay secure.#cve,CVE-2025-53890,#cybersecurity https://t.co/1rQwKkP68u https://t.co/t7PDtieuK

    @CveFindCom

    15 Jul 2025

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.