Description
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.
Published: 2026-04-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An attacker who obtains the SETTINGS permission in pyLoad can alter the AntiVirus plugin’s avfile configuration value. The application passes this value straight to subprocess.Popen without sanitization, allowing the attacker to inject an arbitrary command line. As a consequence, the attacker can execute arbitrary shell commands with the privileges of the pyLoad process, which is typically a privileged user on the host. This flaw results in a high‑severity remote code execution vulnerability.

Affected Systems

The flaw affects pyLoad, specifically version 0.5.0b3.dev96 and earlier. Only plugin configuration values are vulnerable; core configuration options remain protected. Users with SETTINGS permission who can edit plugin settings are at risk when using these releases.

Risk and Exploitability

The CVSS base score of 8.8 reflects the high exploitation potential and impact. No EPSS data is available, and the vulnerability is not listed in KEV. The attack vector is internal through the web interface; an attacker needs only SETTINGS permission to modify the avfile value. Because the flaw allows execution of arbitrary commands, the risk to confidentiality, integrity, and availability is complete system compromise. The overall exploitability is therefore high.

Generated by OpenCVE AI on April 7, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pyLoad to the latest version where the AntiVirus plugin configuration is sanitized or the fix is applied
  • If upgrading is not immediately possible, remove or disable the AntiVirus plugin to prevent the vulnerable configuration from being written
  • Review user permissions and remove SETTINGS rights from non-admin accounts
  • Monitor logs for unexpected subprocess execution and audit plugin configuration changes

Generated by OpenCVE AI on April 7, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w48f-wwwf-f5fr pyLoad: Improper Neutralization of Special Elements used in an OS Command
History

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Pyload-ng Project
Pyload-ng Project pyload-ng
CPEs cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*
Vendors & Products Pyload-ng Project
Pyload-ng Project pyload-ng

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.
Title pyLoad has Improper Neutralization of Special Elements used in an OS Command
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pyload Pyload
Pyload-ng Project Pyload-ng
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:46:07.056Z

Reserved: 2026-04-02T19:25:52.193Z

Link: CVE-2026-35463

cve-icon Vulnrichment

Updated: 2026-04-08T14:46:01.708Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:44.363

Modified: 2026-04-24T15:18:49.370

Link: CVE-2026-35463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:46Z

Weaknesses