Incorrect Option Name Vulnerability in pyLoad Download Manager by pyLoad
CVE-2026-35586

6.8MEDIUM

Key Information:

Vendor: Pyload
Status: Pyload
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35586?

pyLoad, a free and open-source download manager, is impacted by an authorization bypass vulnerability due to incorrect option names used in the set_config_value() function. The ADMIN_ONLY_CORE_OPTIONS verification fails for the specific parameters 'ssl_cert' and 'ssl_key', which should be 'ssl_certfile' and 'ssl_keyfile'. This discrepancy allows any user with SETTINGS permission to modify the SSL certificate and key file paths, effectively compromising the integrity of SSL configurations. Additionally, the 'ssl_certchain' option is missing entirely from the admin-only set, further exacerbating the risk. This issue is resolved in version 0.5.0b3.dev97.

Affected Version(s)

pyload < 0.5.0b3.dev97

References

https://github.com/pyload/pyload/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35586 Data

JSON

Pyload

What is CVE-2026-35586?

Affected Version(s)

References

CVSS V3.1

Timeline