CVE-2026-35464Deserialization of Untrusted Data in Pyload

CWE-502Deserialization of Untrusted DataCWE-863Incorrect Authorization7 documents5 sources
Severity
7.5HIGHNVD
GHSA9.8GHSA8.8OSV8.8
EPSS
0.1%
top 74.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PyloadPyload-ng Project Pyload-ng
Timeline
PublishedApr 7

Description

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

CVEListV5pyload/pyload0.5.0b3.dev96

🔴Vulnerability Details

4
CVEList
pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution2026-04-07
GHSA
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM2026-04-07
GHSA
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)2026-04-04
OSV
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)2026-04-04

🕵️Threat Intelligence

1
Wiz
CVE-2026-35464 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-35464 — Deserialization of Untrusted Data | cvebase