PYSEC-2026-126

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-126.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-126

Aliases

CVE-2026-42312
GHSA-ccxc-x975-4hh9

Published

2026-05-11T18:16:34.833Z

Modified

2026-05-20T09:19:15.952431Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option ("general", "sslverify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS permission can set general.sslverify = off, and every subsequent outbound pycurl request is made with SSLVERIFYPEER=0 and SSL_VERIFYHOST=0 — TLS peer and hostname verification are fully disabled. An on-path attacker can then present forged certificates for any hostname pyload fetches. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.

References

https://github.com/pyload/pyload/security/advisories/GHSA-ccxc-x975-4hh9

Affected packages

PyPI / pyload-ng

Package

Name: pyload-ng; View open source insights on deps.dev
Purl: pkg:pypi/pyload-ng

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.0b3.dev100

Affected versions

0.*

0.5.0a5.dev528

0.5.0a5.dev532

0.5.0a5.dev535

0.5.0a5.dev536

0.5.0a5.dev537

0.5.0a5.dev539

0.5.0a5.dev540

0.5.0a5.dev545

0.5.0a5.dev562

0.5.0a5.dev564

0.5.0a5.dev565

0.5.0a6.dev570

0.5.0a6.dev578

0.5.0a6.dev587

0.5.0a7.dev596

0.5.0a8.dev602

0.5.0a9.dev615

0.5.0a9.dev629

0.5.0a9.dev632

0.5.0a9.dev641

0.5.0a9.dev643

0.5.0a9.dev655

0.5.0a9.dev806

0.5.0b1.dev1

0.5.0b1.dev2

0.5.0b1.dev3

0.5.0b1.dev4

0.5.0b1.dev5

0.5.0b2.dev9

0.5.0b2.dev10

0.5.0b2.dev11

0.5.0b2.dev12

0.5.0b3.dev13

0.5.0b3.dev14

0.5.0b3.dev17

0.5.0b3.dev18

0.5.0b3.dev19

0.5.0b3.dev20

0.5.0b3.dev21

0.5.0b3.dev22

0.5.0b3.dev24

0.5.0b3.dev26

0.5.0b3.dev27

0.5.0b3.dev28

0.5.0b3.dev29

0.5.0b3.dev30

0.5.0b3.dev31

0.5.0b3.dev32

0.5.0b3.dev33

0.5.0b3.dev34

0.5.0b3.dev35

0.5.0b3.dev38

0.5.0b3.dev39

0.5.0b3.dev40

0.5.0b3.dev41

0.5.0b3.dev42

0.5.0b3.dev43

0.5.0b3.dev44

0.5.0b3.dev45

0.5.0b3.dev46

0.5.0b3.dev47

0.5.0b3.dev48

0.5.0b3.dev49

0.5.0b3.dev50

0.5.0b3.dev51

0.5.0b3.dev52

0.5.0b3.dev53

0.5.0b3.dev54

0.5.0b3.dev57

0.5.0b3.dev60

0.5.0b3.dev62

0.5.0b3.dev64

0.5.0b3.dev65

0.5.0b3.dev66

0.5.0b3.dev67

0.5.0b3.dev68

0.5.0b3.dev69

0.5.0b3.dev70

0.5.0b3.dev71

0.5.0b3.dev72

0.5.0b3.dev73

0.5.0b3.dev74

0.5.0b3.dev75

0.5.0b3.dev76

0.5.0b3.dev77

0.5.0b3.dev78

0.5.0b3.dev79

0.5.0b3.dev80

0.5.0b3.dev81

0.5.0b3.dev82

0.5.0b3.dev85

0.5.0b3.dev87

0.5.0b3.dev88

0.5.0b3.dev89

0.5.0b3.dev90

0.5.0b3.dev91

0.5.0b3.dev92

0.5.0b3.dev93

0.5.0b3.dev94

0.5.0b3.dev95

0.5.0b3.dev96

0.5.0b3.dev97

0.5.0b3.dev98

0.5.0b3.dev99

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-126.yaml"