Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-35464— pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution

CVSS 7.5 · High EPSS 0.21% · P43
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-35464

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution
Source: NVD (National Vulnerability Database)
Vulnerability Description
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
pyLoad 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
pyLoad是pyLoad开源的一个用 Python 编写的免费开源下载管理器。 pyLoad存在安全漏洞,该漏洞源于storage_folder选项未包含在ADMIN_ONLY_OPTIONS集合中,且绕过现有路径限制,可能导致具有SETTINGS和ADD权限的用户将下载重定向到Flask文件系统会话存储,植入恶意pickle有效载荷作为可预测的会话文件,并在任何带有相应会话cookie的HTTP请求到达时触发任意代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
pyloadpyload <= 0.5.0b3.dev96 -

II. Public POCs for CVE-2026-35464

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-35464

登录查看更多情报信息。

Same Patch Batch · pyload · 2026-04-07 · 4 CVEs total

CVE-2026-354638.8 HIGHpyLoad has Improper Neutralization of Special Elements used in an OS Command
CVE-2026-355866.8 MEDIUMAuthorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in
CVE-2026-355925.3 MEDIUMpyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.comm

IV. Related Vulnerabilities

Same product: pyload
Same vendor: pyload
Same weakness: CWE-502

V. Comments for CVE-2026-35464

No comments yet

Leave a comment