216.73.217.22

CVE-2026-33509

· Published 24/03/2026 20:16 · Modified 25/03/2026 15:41

Labels: CVE-2026-33509 2026-03-24CVE-2026-33509CWE-269[email protected]

Essential information

Published
24/03/2026 20:16
Modified
25/03/2026 15:41
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
pyload / pyload cpe:2.3:a:pyload:pyload:0.4.0-0.5.0b3.dev97:*:*:*:*:*:*:*

References