CVE-2026-35463
Description
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyload-ngPyPI | <= 0.5.0b3.dev96 | — |
Affected products
1- cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*Range: <=0.5.0b3.dev96
Patches
1c4cf995a2803fix GHSA-4744-96p5-mp2j and GHSA-w48f-wwwf-f5fr security advisories
1 file changed · +30 −19
src/pyload/core/api/__init__.py+30 −19 modified@@ -223,17 +223,33 @@ def set_config_value(self, category: str, option: str, value: Any, section: str :param value: new config value :param section: 'plugin' or 'core """ + try: + try: + user_info = flask.g.user_info + except AttributeError: + user_info = flask.session + + # Attempt to access outside an active Flask request + except RuntimeError: + user_info = {"role": Role.ADMIN} + is_admin = user_info.get("role") == Role.ADMIN - ADMIN_ONLY_OPTIONS = { + ADMIN_ONLY_CORE_OPTIONS = { + ("general", "storage_folder"), + ("log", "syslog_host"), + ("log", "syslog_port"), + ("proxy", "password"), + ("proxy", "username"), ("reconnect", "script"), ("webui", "host"), - ("webui", "use_ssl"), ("webui", "ssl_cert"), ("webui", "ssl_key"), - ("log", "syslog_host"), - ("log", "syslog_port"), - ("proxy", "username"), - ("proxy", "password"), + ("webui", "use_ssl"), + } + + ADMIN_ONLY_PLUGIN_OPTIONS = { + ("AntiVirus", "avfile"), + ("AntiVirus", "avargs"), } if section == "core": @@ -248,19 +264,9 @@ def set_config_value(self, category: str, option: str, value: Any, section: str return # Require ADMIN role for security-critical settings - try: - try: - user_info = flask.g.user_info - except AttributeError: - user_info = flask.session - - if (category, option) in ADMIN_ONLY_OPTIONS and user_info.get("role") != Role.ADMIN: - self.pyload.log.error(self._("Writing config value {}/{} requires Admin role").format(category, option)) - return - - # Attempt to access outside an active Flask request - except RuntimeError: - pass + if (category, option) in ADMIN_ONLY_CORE_OPTIONS and not is_admin: + self.pyload.log.error(self._("Writing config value {}/{} requires Admin role").format(category, option)) + return self.pyload.config.set(category, option, value) @@ -271,6 +277,11 @@ def set_config_value(self, category: str, option: str, value: Any, section: str self.pyload.request_factory.update_bucket() elif section == "plugin": + # Require ADMIN role for security-critical settings + if (category, option) in ADMIN_ONLY_PLUGIN_OPTIONS and not is_admin: + self.pyload.log.error(self._("Writing config value {}/{} requires Admin role").format(category, option)) + return + self.pyload.config.set_plugin(category, option, value) self.pyload.addon_manager.dispatch_event(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1nvdPatchWEB
- github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5frnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-w48f-wwwf-f5frghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35463ghsaADVISORY
News mentions
0No linked articles in our index yet.