Description
pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.
Published: 2026-03-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Non‑admin SETTINGS users can modify any configuration via the set_config_value API in pyLoad. The vulnerable setting, reconnect.script, is passed directly to subprocess.run without validation, allowing an attacker to run arbitrary executables. This missing access control flaw enables remote code execution, a high‑severity weakness classified as CWE‑269.

Affected Systems

The vulnerability affects pyLoad (pyload‑ng project) versions from 0.4.0 up to, but not including, 0.5.0b3.dev97. No other vendors are listed. The patch was released in 0.5.0b3.dev97.

Risk and Exploitability

CVSS 7.5 indicates high severity; EPSS is <1%, so exploitation probability is low but still significant. The vulnerability is not in CISA’s KEV catalog. A user possessing the SETTINGS role—typically a regular user—can trigger the flaw via authenticated API calls. By specifying any executable path in reconnect.script, the attacker can run code on the system, compromising confidentiality, integrity, and availability. The likely attack vector is authenticated local or remote access depending on how pyLoad is deployed.

Generated by OpenCVE AI on March 26, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pyLoad to version 0.5.0b3.dev97 or later.
  • Ensure that the SETTINGS permission group has no write access to configuration values.
  • If an upgrade is not feasible, revoke or remove the SETTINGS permission from all users.
  • Restart the pyLoad service to apply the changes.

Generated by OpenCVE AI on March 26, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r7mc-x6x7-cqxx pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration
History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Pyload-ng Project
Pyload-ng Project pyload-ng
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*
cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
Vendors & Products Pyload-ng Project
Pyload-ng Project pyload-ng

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Tue, 24 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.
Title pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pyload Pyload
Pyload-ng Project Pyload-ng
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:12.902Z

Reserved: 2026-03-20T16:59:08.889Z

Link: CVE-2026-33509

cve-icon Vulnrichment

Updated: 2026-03-26T19:51:20.432Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T20:16:30.053

Modified: 2026-03-26T20:47:02.337

Link: CVE-2026-33509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:42Z

Weaknesses