Medium severity5.4NVD Advisory· Published Apr 9, 2026· Updated Apr 28, 2026

CVE-2026-40071

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pyload-ngPyPI	<= 0.5.0b3	—

Affected products

Pyload/Pyload
cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
Range: <2026-04-13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwmnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-rfgh-63mg-8pwmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-40071ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000