Permission Weakness in pyLoad Download Manager Affects User Operations
CVE-2026-40071

5.4MEDIUM

Key Information:

Vendor: Pyload
Status: Pyload
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-40071?

In earlier versions of pyLoad, specifically before 0.5.0b3.dev97, vulnerabilities in the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints allowed authenticated low-privileged users to perform MODIFY operations. These actions were intended to be restricted under pyLoad's permission model, exposing a significant security risk. This issue has been addressed in the subsequent version, ensuring that access controls are appropriately enforced.

Affected Version(s)

pyload < 0.5.0b3.dev97

References

https://github.com/pyload/pyload/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40071 Data

JSON

Pyload

What is CVE-2026-40071?

Affected Version(s)

References

CVSS V3.1

Timeline