CVE-2026-35464
Severity CVSS v4.0:
Pending analysis
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
07/04/2026
Last modified:
23/04/2026
Description
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:* | 2026-04-02 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1
- https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j
- https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx
- https://www.cve.org/CVERecord?id=CVE-2026-33509
- https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j