Description
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.
Published: 2026-04-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

The flaw in pyLoad originates from an incomplete permission check on the storage_folder option. Because this option is not protected by the ADMIN_ONLY_OPTIONS guard, users who hold SETTINGS and ADD rights can point downloads to the Flask session directory, plant a malicious pickle payload as a predictable session file, and force the application to load that payload when any HTTP request is made with the corresponding session cookie. This results in arbitrary code execution on the host where pyLoad runs. The vulnerability is a form of insecure deserialization and improper access control, as identified by CWE‑502 and CWE‑863.

Affected Systems

pyLoad, an open‑source Python download manager. All instances that allow users with SETTINGS and ADD capabilities to modify the storage_folder configuration are affected. Any deployment using an older code base prior to the commit c4cf995a2803bdbe388addfc2b0f323277efc0e1 inherits the flaw.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Exploitation requires that the attacker already has a valid session with SETTINGS and ADD permissions, a privilege level that is typically granted to trusted users but still represents a user‑level attack vector. The EPSS score is not provided, and the vulnerability is currently not listed in the KEV catalog. Because the attack can be triggered by a normal HTTP request once the malicious session file is in place, the potential impact is system‑wide code execution for the user under which pyLoad operates.

Generated by OpenCVE AI on April 7, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the authoritative fix that merges commit c4cf995a2803bdbe388addfc2b0f323277efc0e1 to the pyLoad source repository.
  • Upgrade pyLoad to the latest stable release that contains the patch.
  • If an upgrade is not immediately possible, disable or remove the storage_folder configuration to eliminate the writable path to the Flask session store.
  • Restrict SETTINGS and ADD permissions to a minimal set of trusted accounts until a patch can be applied.

Generated by OpenCVE AI on April 7, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4744-96p5-mp2j pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)
History

Thu, 23 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.
Title pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution
Weaknesses CWE-502
CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pyload Pyload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:58:59.013Z

Reserved: 2026-04-02T19:25:52.193Z

Link: CVE-2026-35464

cve-icon Vulnrichment

Updated: 2026-04-07T15:12:37.823Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:44.523

Modified: 2026-04-23T15:13:57.010

Link: CVE-2026-35464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:44Z

Weaknesses