anonhaven
Ad

CVE-2026-33509

HIGH CVSS 3.1: 8.8 EPSS 0.06%
Updated Mar 26, 2026
Python
Parameter Value
CVSS 8.8 (HIGH)
Affected Versions 0.4 — 0.5.0b3.dev97
Fixed In 0.5.0
Type CWE-269 (Improper Privilege Management)
Vendor Python
Public PoC No

pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic.

A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-269 Improper Privilege Management

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Pyload Pyload
cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
 0.4 <= 0.4.20
Pyload-Ng_Project Pyload-Ng
cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*
 0.5.0a5.dev528 0.5.0b3.dev97

References 1

https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33699

Python

4.6

CVE-2026-33682

Python

4.7

CVE-2026-33545

Python

5.3

CVE-2026-33430

Python

7.3

CVE-2026-33511

Python

8.8