Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-35464
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-07 Apr, 2026 | 14:38
Updated At-07 Apr, 2026 | 15:58
Rejected At-
▼CVE Numbering Authority (CNA)
pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.

Affected Products
Vendor
pyload
Product
pyload
Versions
Affected
  • <= 0.5.0b3.dev96
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502: Deserialization of Untrusted Data
CWECWE-863CWE-863: Incorrect Authorization
Type: CWE
CWE ID: CWE-502
Description: CWE-502: Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-863
Description: CWE-863: Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j
x_refsource_CONFIRM
https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx
x_refsource_MISC
https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1
x_refsource_MISC
https://www.cve.org/CVERecord?id=CVE-2026-33509
x_refsource_MISC
Hyperlink: https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx
Resource:
x_refsource_MISC
Hyperlink: https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1
Resource:
x_refsource_MISC
Hyperlink: https://www.cve.org/CVERecord?id=CVE-2026-33509
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j
exploit
Hyperlink: https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j
Resource:
exploit
Details not found