CVE-2026-42313
published 2026-05-11CVE-2026-42313: pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS))…
PriorityP352high8.3CVSS 3.1
AVNACLPRLUINSUCHIHAL
EPSS
0.40%
31.4th percentile
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") — which protect the proxy credentials — but it does not include ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), or ("proxy", "type"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | < 0.5.0b3.dev100 | 0.5.0b3.dev100 |
| pyload-ng_project | pyload-ng | >= 0 < 0.5.0b3.dev100 | 0.5.0b3.dev100 |
CVSS provenance
nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
ghsa8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
pyLoad up to 0.5.0b3.dev100 HTTP Call __init__.py set_config_value confused deputy
vuldb·2026-05-11·CVSS 8.3
CVE-2026-42313 [HIGH] pyLoad up to 0.5.0b3.dev100 HTTP Call __init__.py set_config_value confused deputy
A vulnerability labeled as critical has been found in pyLoad up to 0.5.0b3.dev100. Affected is the function set_config_value of the file src/pyload/core/api/__init__.py of the component HTTP Call Handler. Executing a manipulation can lead to unintended intermediary.
This vulnerability is registered as CVE-2026-42313. It is possible to launch the attack remotely. No exploit is available.
The affected component should be upgraded.
GHSA
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -355
ghsa·2026-05-04·CVSS 8.8
CVE-2026-42313 [HIGH] CWE-441 pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -355
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
### Summary
The `set_config_value()` API method (`@permission(Perms.SETTINGS)`) in `src/pyload/core/api/__init__.py` gates security-sensitive options behind a hand-maintained allowlist `ADMIN_ONLY_CORE_OPTIONS`. The allowlist contains `("proxy", "username")` and `("proxy", "password")` — which protect the proxy credentials — but it does **not** include `("proxy", "enabled")`, `("proxy", "host")`, `("proxy", "port")`, or `("proxy", "type")`. Any authenticated user with the non-admin `SETTINGS` permission can enable proxying and point pyload at any host they control. From that point, every
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-11
Published