High severity8.8NVD Advisory· Published Apr 7, 2026· Updated Apr 24, 2026
CVE-2026-35463
CVE-2026-35463
Description
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyload-ngPyPI | <= 0.5.0b3.dev96 | — |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1nvdPatchWEB
- github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5frnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-w48f-wwwf-f5frghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35463ghsaADVISORY
News mentions
0No linked articles in our index yet.