pyLoad, an open-source Python download manager, contains a stored cross-site scripting (XSS) vulnerability prior to version 0.5.0b3.dev100. The vulnerability exists in the packages.js template where stored link URLs are interpolated into HTML without proper escaping. Attackers can inject malicious JavaScript by submitting package links containing single quotes and event handlers, which execute in operators' browsers when viewing the downloads page. The vulnerability is exacerbated by the lack of Content Security Policy restrictions on inline scripts.