Session Cookie Vulnerability in pyLoad Download Manager by pyLoad
CVE-2026-40594

4.8MEDIUM

Key Information:

Vendor: Pyload
Status: Pyload
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40594?

The pyLoad download manager has a vulnerability in its session management that allows an attacker to manipulate the security of session cookies. Specifically, the 'set_session_cookie_secure' handler does not validate the origin of requests, leading to a race condition. This situation can allow malicious requests to alter the Secure flag on session cookies, exposing users to potential security risks, such as cookie security downgrades or session denial-of-service attacks. This issue affects all versions prior to 0.5.0b3.dev98 and has been addressed in the latest release.

Affected Version(s)

pyload < 0.5.0b3.dev98

References

https://github.com/pyload/pyload/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40594 Data

JSON

Pyload

What is CVE-2026-40594?

Affected Version(s)

References

CVSS V3.1

Timeline