{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35464", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.193Z", "datePublished": "2026-04-07T14:38:02.480Z", "dateUpdated": "2026-04-07T15:58:59.013Z"}, "containers": {"cna": {"title": "pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j"}, {"name": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx", "tags": ["x_refsource_MISC"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"}, {"name": "https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1", "tags": ["x_refsource_MISC"], "url": "https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1"}, {"name": "https://www.cve.org/CVERecord?id=CVE-2026-33509", "tags": ["x_refsource_MISC"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-33509"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": "<= 0.5.0b3.dev96", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:38:02.480Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1."}], "source": {"advisory": "GHSA-4744-96p5-mp2j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:12:26.147429Z", "id": "CVE-2026-35464", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:58:59.013Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35464", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T15:12:26.147429Z"}}}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:12:37.823Z"}}], "cna": {"title": "pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution", "source": {"advisory": "GHSA-4744-96p5-mp2j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"status": "affected", "version": "<= 0.5.0b3.dev96"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1", "name": "https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1", "tags": ["x_refsource_MISC"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-33509", "name": "https://www.cve.org/CVERecord?id=CVE-2026-33509", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:38:02.480Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35464", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:58:59.013Z", "dateReserved": "2026-04-02T19:25:52.193Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T14:38:02.480Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "matchCriteriaId": "970C5BF4-1BD4-470D-A352-57CADD3CA326", "versionEndExcluding": "2026-04-02", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1."}], "id": "CVE-2026-35464", "lastModified": "2026-04-23T15:13:57.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T15:17:44.523", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-33509"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.5.0b3.dev96]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-04-07T19:51:46.266423+00:00", "value": {"mitigation_remediation": ["Apply the authoritative fix that merges commit c4cf995a2803bdbe388addfc2b0f323277efc0e1 to the pyLoad source repository.", "Upgrade pyLoad to the latest stable release that contains the patch.", "If an upgrade is not immediately possible, disable or remove the storage_folder configuration to eliminate the writable path to the Flask session store.", "Restrict SETTINGS and ADD permissions to a minimal set of trusted accounts until a patch can be applied."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution"}, "threat_synthesis": {"affected_systems": "pyLoad, an open\u2011source Python download manager. All instances that allow users with SETTINGS and ADD capabilities to modify the storage_folder configuration are affected. Any deployment using an older code base prior to the commit c4cf995a2803bdbe388addfc2b0f323277efc0e1 inherits the flaw.", "description_and_impact": "The flaw in pyLoad originates from an incomplete permission check on the storage_folder option. Because this option is not protected by the ADMIN_ONLY_OPTIONS guard, users who hold SETTINGS and ADD rights can point downloads to the Flask session directory, plant a malicious pickle payload as a predictable session file, and force the application to load that payload when any HTTP request is made with the corresponding session cookie. This results in arbitrary code execution on the host where pyLoad runs. The vulnerability is a form of insecure deserialization and improper access control, as identified by CWE\u2011502 and CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity. Exploitation requires that the attacker already has a valid session with SETTINGS and ADD permissions, a privilege level that is typically granted to trusted users but still represents a user\u2011level attack vector. The EPSS score is not provided, and the vulnerability is currently not listed in the KEV catalog. Because the attack can be triggered by a normal HTTP request once the malicious session file is in place, the potential impact is system\u2011wide code execution for the user under which pyLoad operates."}}}}, "created": "2026-04-08T19:37:25.731404+00:00", "updated": "2026-04-08T19:48:44.930571+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}