Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-35464

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-07 Apr, 2026 | 14:38
Updated At-07 Apr, 2026 | 15:58
Rejected At-
Credits

pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:07 Apr, 2026 | 14:38
Updated At:07 Apr, 2026 | 15:58
Rejected At:
▼CVE Numbering Authority (CNA)
pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.

Affected Products
Vendor
pyload
Product
pyload
Versions
Affected
  • <= 0.5.0b3.dev96
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502: Deserialization of Untrusted Data
CWECWE-863CWE-863: Incorrect Authorization
Type: CWE
CWE ID: CWE-502
Description: CWE-502: Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-863
Description: CWE-863: Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j
x_refsource_CONFIRM
https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx
x_refsource_MISC
https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1
x_refsource_MISC
https://www.cve.org/CVERecord?id=CVE-2026-33509
x_refsource_MISC
Hyperlink: https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx
Resource:
x_refsource_MISC
Hyperlink: https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1
Resource:
x_refsource_MISC
Hyperlink: https://www.cve.org/CVERecord?id=CVE-2026-33509
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j
exploit
Hyperlink: https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:07 Apr, 2026 | 15:17
Updated At:23 Apr, 2026 | 15:13

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
pyload
pyload
>>pyload>>Versions before 2026-04-02(exclusive)
cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-502Secondarysecurity-advisories@github.com
CWE-863Secondarysecurity-advisories@github.com
CWE ID: CWE-502
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-863
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1security-advisories@github.com
Patch
https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2jsecurity-advisories@github.com
Exploit
Vendor Advisory
Mitigation
https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxxsecurity-advisories@github.com
Exploit
Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2026-33509security-advisories@github.com
Third Party Advisory
https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
Mitigation
Hyperlink: https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory
Mitigation
Hyperlink: https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory
Hyperlink: https://www.cve.org/CVERecord?id=CVE-2026-33509
Source: security-advisories@github.com
Resource:
Third Party Advisory
Hyperlink: https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Vendor Advisory
Mitigation

Change History

0
Information is not available yet

Similar CVEs

58Records found
CVE-2024-24926
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-42.10% / 97.46%
||
7 Day CHG~0.00%
Published-12 Feb, 2024 | 07:09
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Brooklyn Theme <= 4.9.7.6 is vulnerable to PHP Object Injection

Deserialization of Untrusted Data vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6.

Action-Not Available
Vendor-unitedthemesUnitedThemesunitedthemes
Product-brooklynBrooklyn | Creative Multi-Purpose Responsive WordPress Themebrooklyn_creativie_multi_purpose_responsive_wordpress_theme
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-2501
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-1.22% / 79.12%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 18:59
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hubbub Lite – Fast, Reliable Social Network Sharing Buttons <= 1.33.1 - PHP Object Injection

The Hubbub Lite – Fast, Reliable Social Sharing Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.33.1 via deserialization of untrusted input via the 'dpsp_maybe_unserialize' function. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Action-Not Available
Vendor-nerdpressteamnerdpressmorehubbub
Product-Hubbub Lite – Fast, free social sharing and follow buttonshubbub_litehubbub_lites
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-1896
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.71% / 72.42%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:51
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Photo Gallery <= 1.4.2 - Authenticated(Contributor+) PHP Object Injection via Shortcode

The Photo Gallery – Responsive Photo Gallery, Image Gallery, Portfolio Gallery, Logo Gallery And Team Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.2 via deserialization via shortcode of untrusted input from the 'awl_lg_settings_' attribute. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Action-Not Available
Vendor-A WP Life
Product-Photo Gallery for Images
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-1950
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-1.30% / 79.81%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-08 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Carousel Slider & Grid Ultimate for WooCommerce <= 1.9.7 - Authenticated(Contributor+) PHP Object Injection

The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Action-Not Available
Vendor-wpwaxwpwaxwpwax
Product-product_carousel_slider_\&_grid_ultimate_for_woocommerceProduct Carousel Slider & Grid Ultimate for WooCommerceproduct_carosel_slider_\&_grid_ultimate
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-12627
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.81% / 74.35%
||
7 Day CHG~0.00%
Published-11 Jan, 2025 | 02:20
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups <= 1.3.5 - Missing Authorization to Authenticated (Contributor+) PHP Object Injection

The Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.5 via deserialization of untrusted input from post content passed to the capture_email AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Action-Not Available
Vendor-premio
Product-Coupon X – Discount Popups & Promo Codes Pop Ups for WooCommerce
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-10740
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.6||MEDIUM
EPSS-0.37% / 58.97%
||
7 Day CHG~0.00%
Published-22 Jun, 2020 | 17:39
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.

Action-Not Available
Vendor-[UNKNOWN]Red Hat, Inc.
Product-wildflywildfly
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-39214
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.43% / 62.90%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 15:10
Updated-25 Feb, 2025 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated users of Combodo iTop can take over any account

Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1.

Action-Not Available
Vendor-combodoCombodo
Product-itopiTop
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-4104
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-72.20% / 98.77%
||
7 Day CHG~0.00%
Published-14 Dec, 2021 | 00:00
Updated-03 Aug, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Action-Not Available
Vendor-The Apache Software FoundationRed Hat, Inc.Fedora ProjectOracle Corporation
Product-single_sign-onjboss_fuse_service_workshealthcare_data_repositorytuxedoopenshift_container_platformcommunications_network_integrityretail_allocationjboss_data_virtualizationbusiness_intelligencejboss_a-mq_streamingstream_analyticscommunications_eagle_ftp_table_base_retrievaltimesten_gridhyperion_data_relationship_managementjboss_fusefedoracommunications_unified_inventory_managementfusion_middleware_common_libraries_and_toolsjboss_a-mqbusiness_process_management_suitejboss_data_gridintegration_camel_kopenshift_application_runtimese-business_suite_cloud_manager_and_cloud_backup_modulesoftware_collectionsutilities_testing_acceleratorcommunications_messaging_servercommunications_offline_mediation_controllerenterprise_linuxcodeready_studiointegration_camel_quarkusgoldengateidentity_management_suitefinancial_services_revenue_management_and_billing_analyticsweblogic_serverprocess_automationmysql_enterprise_monitorjdeveloperlog4jadvanced_supply_chain_planningjboss_web_serverretail_extract_transform_and_loadhyperion_infrastructure_technologyjboss_enterprise_application_platformjboss_operations_networkenterprise_manager_base_platformApache Log4j 1.x
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • Next
Details not found