GHSA-w727-595x-pc3r

Source

https://github.com/advisories/GHSA-w727-595x-pc3r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-w727-595x-pc3r/GHSA-w727-595x-pc3r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w727-595x-pc3r

Aliases

CVE-2026-45306

Published

2026-05-14T20:17:27Z

Modified

2026-05-14T20:36:02.140684Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad

Details

Summary

The fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover.

Details

The fix in src/pyload/core/api/__init__.py:

directories = [PKGDIR, userdir]
if any(directories[0].startswith(d) for d in directories[1:]):
    return  # blocked

But the Flask session directory is:

session_storage_path = os.path.join(api.get_cachedir(), "flask")
# = /tmp/pyLoad/flask  ← NOT blocked by fix

Attack Chain

Attacker (admin) sets storage_folder = /tmp/pyLoad/flask
Fix does NOT block this — /tmp/pyLoad/flask not inside PKGDIR or userdir
Attacker requests GET /files/get/<victim_session_filename>
send_from_directory('/tmp/pyLoad/flask', session_file) serves victim's session
Attacker uses stolen session → Account Takeover

PoC

import os

PKGDIR = "/usr/lib/python3/dist-packages/pyload"
userdir = os.path.expanduser("~/.pyload")
session_dir = "/tmp/pyLoad/flask"

correct_case = lambda x: x
directories = [
    correct_case(os.path.join(os.path.realpath(d), ""))
    for d in [session_dir, PKGDIR, userdir]
]
blocked = any(directories[0].startswith(d) for d in directories[1:])

print(f"Fix blocks session_dir: {blocked}")
# Output: Fix blocks session_dir: False  ← BYPASS CONFIRMED

Impact

Authenticated admin can steal sessions of other users → Account Takeover.

Suggested Fix

blocked_dirs = [PKGDIR, userdir, api.get_cachedir()]
directories = [
    os.path.join(os.path.realpath(d), "")
    for d in [value] + blocked_dirs
]
if any(directories[0].startswith(d) for d in directories[1:]):
    return

Database specific

{
    "github_reviewed_at": "2026-05-14T20:17:27Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-706"
    ]
}

References

Affected packages

PyPI / pyload-ng

Package

Name: pyload-ng; View open source insights on deps.dev
Purl: pkg:pypi/pyload-ng

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.5.0b3.dev99

Affected versions

0.*

0.5.0a5.dev528

0.5.0a5.dev532

0.5.0a5.dev535

0.5.0a5.dev536

0.5.0a5.dev537

0.5.0a5.dev539

0.5.0a5.dev540

0.5.0a5.dev545

0.5.0a5.dev562

0.5.0a5.dev564

0.5.0a5.dev565

0.5.0a6.dev570

0.5.0a6.dev578

0.5.0a6.dev587

0.5.0a7.dev596

0.5.0a8.dev602

0.5.0a9.dev615

0.5.0a9.dev629

0.5.0a9.dev632

0.5.0a9.dev641

0.5.0a9.dev643

0.5.0a9.dev655

0.5.0a9.dev806

0.5.0b1.dev1

0.5.0b1.dev2

0.5.0b1.dev3

0.5.0b1.dev4

0.5.0b1.dev5

0.5.0b2.dev9

0.5.0b2.dev10

0.5.0b2.dev11

0.5.0b2.dev12

0.5.0b3.dev13

0.5.0b3.dev14

0.5.0b3.dev17

0.5.0b3.dev18

0.5.0b3.dev19

0.5.0b3.dev20

0.5.0b3.dev21

0.5.0b3.dev22

0.5.0b3.dev24

0.5.0b3.dev26

0.5.0b3.dev27

0.5.0b3.dev28

0.5.0b3.dev29

0.5.0b3.dev30

0.5.0b3.dev31

0.5.0b3.dev32

0.5.0b3.dev33

0.5.0b3.dev34

0.5.0b3.dev35

0.5.0b3.dev38

0.5.0b3.dev39

0.5.0b3.dev40

0.5.0b3.dev41

0.5.0b3.dev42

0.5.0b3.dev43

0.5.0b3.dev44

0.5.0b3.dev45

0.5.0b3.dev46

0.5.0b3.dev47

0.5.0b3.dev48

0.5.0b3.dev49

0.5.0b3.dev50

0.5.0b3.dev51

0.5.0b3.dev52

0.5.0b3.dev53

0.5.0b3.dev54

0.5.0b3.dev57

0.5.0b3.dev60

0.5.0b3.dev62

0.5.0b3.dev64

0.5.0b3.dev65

0.5.0b3.dev66

0.5.0b3.dev67

0.5.0b3.dev68

0.5.0b3.dev69

0.5.0b3.dev70

0.5.0b3.dev71

0.5.0b3.dev72

0.5.0b3.dev73

0.5.0b3.dev74

0.5.0b3.dev75

0.5.0b3.dev76

0.5.0b3.dev77

0.5.0b3.dev78

0.5.0b3.dev79

0.5.0b3.dev80

0.5.0b3.dev81

0.5.0b3.dev82

0.5.0b3.dev85

0.5.0b3.dev87

0.5.0b3.dev88

0.5.0b3.dev89

0.5.0b3.dev90

0.5.0b3.dev91

0.5.0b3.dev92

0.5.0b3.dev93

0.5.0b3.dev94

0.5.0b3.dev95

0.5.0b3.dev96

0.5.0b3.dev97

0.5.0b3.dev98

0.5.0b3.dev99

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-w727-595x-pc3r/GHSA-w727-595x-pc3r.json"