CVE-2026-33509 — Improper Privilege Management in Project Pyload-ng
Severity
8.8HIGHNVD
NVD7.5CNA7.5
EPSS
0.1%
top 75.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 24
Latest updateApr 7
Description
pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execu…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages4 packages
🔴Vulnerability Details
6CVEList▶
pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution↗2026-04-07
GHSA▶
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)↗2026-04-04
OSV▶
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)↗2026-04-04
CVEList▶
pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration↗2026-03-24
GHSA▶
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration↗2026-03-20