CVE-2026-35463

Source
https://cve.org/CVERecord?id=CVE-2026-35463
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35463.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35463
Aliases
Published
2026-04-07T14:32:44.149Z
Modified
2026-07-08T08:10:13.293140192Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
pyLoad has Improper Neutralization of Special Elements used in an OS Command
Details

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMINONLYOPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35463.json",
    "cwe_ids": [
        "CWE-78"
    ],
    "cna_assigner": "GitHub_M",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "0.5.0b3.dev96"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/pyload/pyload

Affected ranges

Type
GIT
Repo
https://github.com/pyload/pyload
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

v0.*
v0.1
v0.1.1
v0.2
v0.2.1
v0.2.2
v0.3
v0.3.1
v0.3.2
v0.4
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35463.json"