{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40071", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T00:39:12.204Z", "datePublished": "2026-04-09T17:36:24.837Z", "dateUpdated": "2026-04-10T14:09:11.900Z"}, "containers": {"cna": {"title": "pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": "< 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:36:24.837Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97."}], "source": {"advisory": "GHSA-rfgh-63mg-8pwm", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:09:08.811272Z", "id": "CVE-2026-40071", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:09:11.900Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40071", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T14:09:08.811272Z"}}}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:08:54.731Z"}}], "cna": {"title": "pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions", "source": {"advisory": "GHSA-rfgh-63mg-8pwm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"status": "affected", "version": "< 0.5.0b3.dev97"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:36:24.837Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40071", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:09:11.900Z", "dateReserved": "2026-04-09T00:39:12.204Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T17:36:24.837Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "matchCriteriaId": "631877F0-7E83-469E-BC2B-244AB14E0274", "versionEndExcluding": "2026-04-13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97."}], "id": "CVE-2026-40071", "lastModified": "2026-04-28T00:53:26.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T18:17:03.367", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.5.0b3.dev97)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-04-09T19:22:09.405949+00:00", "value": {"mitigation_remediation": ["Upgrade pyLoad to version 0.5.0b3.dev97 or later"], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "pyLoad users running versions prior to 0.5.0b3.dev97 are affected. The offending components are the three WebUI JSON endpoints that expose modify functionality. Any deployment of pyLoad before the stated patch contains the flaw.", "description_and_impact": "The vulnerability allows authenticated users with low privileges to perform MODIFY operations through the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints. These endpoints enforce weaker permissions than the core API methods they call, permitting actions such as adding or deleting users that should be denied. This results in unauthorized modification of configuration and potentially access to protected resources. The weakness is a classic permission mismatch, identified as CWE\u2011863, and directly facilitates privilege escalation within the pyLoad system.", "risk_and_exploitability": "The CVSS score of 5.4 indicates medium severity. Exploitation requires the attacker to be authenticated to the pyLoad WebUI, so the attack vector is internal or remote but limited to known users. No EPSS score is provided, and the flaw is not listed in the CISA KEV catalog. Because the flaw is limited to the WebUI and does not enable remote code execution, the risk is constrained to privilege escalation and data modification for authenticated users."}}}}, "created": "2026-04-10T08:52:43.457772+00:00", "updated": "2026-04-10T09:31:53.653649+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}