CVE-2026-35463HIGH 8.8EPSS p52.3%

CVE-2026-35463CVE-2026-35463

Description

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.81% probability of exploitation · percentile 52.3% · 2026-06-19T12:03:05Z
Published2026-04-07
Last modified2026-04-24

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1
  2. https://github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5fr

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33509
CVE
CVE-2026-42313
CVE
CVE-2025-54802
CVE
CVE-2026-35459
CVE
CVE-2026-33511
CVE
CVE-2025-53890
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.