CVE-2026-42312
Description
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9nvdExploitVendor Advisory
- github.com/advisories/GHSA-ccxc-x975-4hh9ghsaADVISORY
- github.com/advisories/GHSA-4744-96p5-mp2jghsa
- github.com/advisories/GHSA-ppvx-rwh9-7rj7ghsa
- github.com/advisories/GHSA-r7mc-x6x7-cqxxghsa
- github.com/advisories/GHSA-w48f-wwwf-f5frghsa
- nvd.nist.gov/vuln/detail/CVE-2026-42312ghsa
News mentions
0No linked articles in our index yet.