Security Flaw in pyLoad Download Manager Affects SSL Verification Settings
CVE-2026-42312

6.8MEDIUM

Key Information:

Vendor: Pyload
Status: Pyload
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-42312?

The pyLoad download manager, prior to version 0.5.0b3.dev100, contains a vulnerability in its set_config_value() API method. This flaw allows authenticated users, who do not possess admin permissions, to alter security-sensitive options, specifically disabling SSL verification. As a result, it opens the door for an on-path attacker to exploit this configuration change by using forged certificates. This condition compromises the integrity of TLS peer and hostname verification, posing significant risks to users reliant on secure connections. This vulnerability continues to highlight the importance of maintaining a robust allowlist for security options and follows a pattern set by previous vulnerabilities in the same context.

Affected Version(s)

pyload < 0.5.0b3.dev100

References

https://github.com/pyload/pyload/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42312 Data

JSON

Pyload

What is CVE-2026-42312?

Affected Version(s)

References

CVSS V3.1

Timeline