CVE-2026-35464— pyLoad 安全漏洞

pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

可信数据的反序列化

pyLoad 安全漏洞

pyLoad是pyLoad开源的一个用 Python 编写的免费开源下载管理器。 pyLoad存在安全漏洞，该漏洞源于storage_folder选项未包含在ADMIN_ONLY_OPTIONS集合中，且绕过现有路径限制，可能导致具有SETTINGS和ADD权限的用户将下载重定向到Flask文件系统会话存储，植入恶意pickle有效载荷作为可预测的会话文件，并在任何带有相应会话cookie的HTTP请求到达时触发任意代码执行。

N/A

N/A