CVE-2026-33509
Remote Code Execution via Improper Config in pyLoad Settings
Publication date: 2026-03-24
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload | pyload | From 0.4 (inc) to 0.4.20 (inc) |
| pyload-ng_project | pyload-ng | From 0.5.0a5.dev528 (inc) to 0.5.0b3.dev97 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in pyLoad, a Python-based download manager, in versions from 0.4.0 up to but not including 0.5.0b3.dev97. It involves the set_config_value() API endpoint, which allows users with the non-admin SETTINGS permission to modify any configuration option without restriction.
Specifically, the reconnect.script configuration option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. Because there is no proper validation or restriction on this setting (except for a hardcoded check on general.storage_folder), a SETTINGS user can set reconnect.script to any executable file on the system.
This allows the user to execute arbitrary code remotely, resulting in Remote Code Execution (RCE). The vulnerability was patched in version 0.5.0b3.dev97.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows a user with limited permissions (non-admin SETTINGS permission) to execute arbitrary code on the system running pyLoad.
- Remote Code Execution (RCE) can lead to full system compromise.
- An attacker could run malicious executables, potentially stealing data, installing malware, or disrupting service.
- Since the attacker does not need admin privileges, the attack surface is larger and easier to exploit.
- This could result in loss of confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade pyLoad to version 0.5.0b3.dev97 or later, where the issue has been patched.
Until the upgrade is applied, restrict non-admin users from accessing the set_config_value() API endpoint or the SETTINGS permission to prevent unauthorized modification of configuration options.