cbcvebase.
CVE-2026-35463
published 2026-04-07

CVE-2026-35463: pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.81%
52.5th percentile
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.

Affected

5 ranges
VendorProductVersion rangeFixed in
pyload-ng_projectpyload-ng< 0.5.0b3.dev1000.5.0b3.dev100
pyload-ng_projectpyload-ng<= 0.5.0b3.dev96
pyload-ng_projectpyload-ng>= 0 < 0.5.0b3.dev1000.5.0b3.dev100
pyload-ng_projectpyload-ng0 – 0.5.0b3.dev96
pyloadpyload<= 0.5.0b3.dev96

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.