CVE-2026-45306 - Vulnerability Details

- pyLoad: Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover. This vulnerability is fixed in 0.5.0b3.dev100.

Published: 2026-05-28

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

pyLoad is a free, open‑source download manager written in Python. A flaw in the handling of the "storage_folder" configuration parameter allowed an authenticated user to point the download directory to the Flask session folder (/tmp/pyLoad/flask). This enabled the attacker to retrieve session files belonging to other users via the "/files/get/" endpoint, effectively compromising their accounts. The vulnerability was present in all releases before 0.5.0b3.dev100 and is specifically mitigated in that version and later.

Affected Systems

All installations of pyLoad older than 0.5.0b3.dev100 are affected. The issue applies to the pyLoad download manager distributed under the pyload:pyload product line. Users running any pre‑0.5.0b3.dev100 release of the software are at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that publicly known exploitation has not yet been documented. Attackers must first authenticate to the system; once authenticated they can adjust the storage_folder setting, exploit the flaw, and retrieve other users’ session data. The risk is moderate: a credential compromise can lead to a complete account takeover, but the need for valid credentials reduces automatic exploitation likelihood.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pyload

affected

Version	Status	Constraints
`< 0.5.0b3.dev100`	affected	—

No data.

Vendor Product Confidence Versions

Pyload

100%

Version	Status	Scheme	Platform
`[0,0.5.0b3.dev100)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pyLoad to version 0.5.0b3.dev100 or newer to disable the storage_folder bypass and remove the vulnerable code path.
If an upgrade cannot be performed immediately, configure pyLoad so that the storage_folder parameter cannot resolve to the Flask session directory, for example by hard‑coding a safe path or by validating that the path does not start with "/tmp/pyLoad/flask".
Ensure that the filesystem permissions on the Flask session directory (/tmp/pyLoad/flask) are restricted (e.g., 700) so that regular users cannot read files written by other users, thereby mitigating accidental exposure even if the configuration flaw remains.

Generated by OpenCVE AI on May 28, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w727-595x-pc3r	pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/pyload/pyload/security/advisories/GHSA-w727-595x-pc3r

History

Thu, 28 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pyload Pyload pyload
Vendors & Products		Pyload Pyload pyload

Thu, 28 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover. This vulnerability is fixed in 0.5.0b3.dev100.
Title		pyLoad: Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory
Weaknesses		CWE-706
References		https://github.com/pyload/pyload/security/advisories/GHSA-w727-595x-pc3r
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Pyload Pyload

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-28T17:12:59.835Z

Updated: 2026-05-28T18:49:45.693Z

Reserved: 2026-05-11T20:14:43.202Z

Link: CVE-2026-45306

Vulnrichment

Updated: 2026-05-28T18:49:15.973Z

NVD

Status : Received

Published: 2026-05-28T18:16:34.777

Modified: 2026-05-28T20:16:24.657

Link: CVE-2026-45306

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T19:30:16Z

Weaknesses

CWE-706

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object