CVE-2026-35464
Description
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyload-ngPyPI | <= 0.5.0b3 | — |
Affected products
1Patches
1c4cf995a2803fix GHSA-4744-96p5-mp2j and GHSA-w48f-wwwf-f5fr security advisories
1 file changed · +30 −19
src/pyload/core/api/__init__.py+30 −19 modified@@ -223,17 +223,33 @@ def set_config_value(self, category: str, option: str, value: Any, section: str :param value: new config value :param section: 'plugin' or 'core """ + try: + try: + user_info = flask.g.user_info + except AttributeError: + user_info = flask.session + + # Attempt to access outside an active Flask request + except RuntimeError: + user_info = {"role": Role.ADMIN} + is_admin = user_info.get("role") == Role.ADMIN - ADMIN_ONLY_OPTIONS = { + ADMIN_ONLY_CORE_OPTIONS = { + ("general", "storage_folder"), + ("log", "syslog_host"), + ("log", "syslog_port"), + ("proxy", "password"), + ("proxy", "username"), ("reconnect", "script"), ("webui", "host"), - ("webui", "use_ssl"), ("webui", "ssl_cert"), ("webui", "ssl_key"), - ("log", "syslog_host"), - ("log", "syslog_port"), - ("proxy", "username"), - ("proxy", "password"), + ("webui", "use_ssl"), + } + + ADMIN_ONLY_PLUGIN_OPTIONS = { + ("AntiVirus", "avfile"), + ("AntiVirus", "avargs"), } if section == "core": @@ -248,19 +264,9 @@ def set_config_value(self, category: str, option: str, value: Any, section: str return # Require ADMIN role for security-critical settings - try: - try: - user_info = flask.g.user_info - except AttributeError: - user_info = flask.session - - if (category, option) in ADMIN_ONLY_OPTIONS and user_info.get("role") != Role.ADMIN: - self.pyload.log.error(self._("Writing config value {}/{} requires Admin role").format(category, option)) - return - - # Attempt to access outside an active Flask request - except RuntimeError: - pass + if (category, option) in ADMIN_ONLY_CORE_OPTIONS and not is_admin: + self.pyload.log.error(self._("Writing config value {}/{} requires Admin role").format(category, option)) + return self.pyload.config.set(category, option, value) @@ -271,6 +277,11 @@ def set_config_value(self, category: str, option: str, value: Any, section: str self.pyload.request_factory.update_bucket() elif section == "plugin": + # Require ADMIN role for security-critical settings + if (category, option) in ADMIN_ONLY_PLUGIN_OPTIONS and not is_admin: + self.pyload.log.error(self._("Writing config value {}/{} requires Admin role").format(category, option)) + return + self.pyload.config.set_plugin(category, option, value) self.pyload.addon_manager.dispatch_event(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1nvdPatchWEB
- github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2jnvdExploitVendor AdvisoryMitigationWEB
- github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxxnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-4744-96p5-mp2jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33509ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35464ghsaADVISORY
- www.cve.org/CVERecordnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.