CVE-2026-35463OS Command Injection in Pyload

CWE-78OS Command Injection5 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 47.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PyloadPyload-ng Project Pyload-ng
Timeline
PublishedApr 7

Description

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5pyload/pyload0.5.0b3.dev96
PyPIpyload-ng_project/pyload-ng0.5.0b3.dev96

🔴Vulnerability Details

3
CVEList
pyLoad has Improper Neutralization of Special Elements used in an OS Command2026-04-07
GHSA
pyLoad: Improper Neutralization of Special Elements used in an OS Command2026-04-04
OSV
pyLoad: Improper Neutralization of Special Elements used in an OS Command2026-04-04

🕵️Threat Intelligence

1
Wiz
CVE-2026-35463 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-35463 — OS Command Injection in Pyload | cvebase