CVE-2026-35463
HIGHpyLoad has Improper Neutralization of Special Elements used in an OS Command
Title source: cnaDescription
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5fr
X_Refsource_Misc x_refsource_misc
https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1
Scores
CVSS v3
8.8
EPSS
0.0081
EPSS Percentile
52.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
pyload/pyload
<= 0.5.0b3.dev96
pypi/pyload-ng
0PyPI
Published
Apr 07, 2026
Tracked Since
Apr 07, 2026