Arbitrary Code Execution Vulnerability in pyLoad Download Manager by pyLoad
CVE-2026-35464

7.5HIGH

Key Information:

Vendor

Pyload

Status
Pyload
Vendor
CVE Published:
7 April 2026

What is CVE-2026-35464?

A vulnerability in the pyLoad download manager allows a user with SETTINGS and ADD permissions to exploit improperly restricted options, leading to arbitrary code execution. Specifically, the 'storage_folder' setting can redirect downloads to the Flask filesystem session store. By placing a malicious pickle payload in a predictable session file, an attacker can execute arbitrary code upon any HTTP request containing the corresponding session cookie. This critical security flaw has been addressed in a fix detailed in commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.

Affected Version(s)

pyload <= 0.5.0b3.dev96

References

https://github.com/pyload/pyload/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/pyload/pyload/security/advisories/GHSA...
x_refsource_MISC
https://github.com/pyload/pyload/commit/c4cf995a2803bdbe3...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.