Compliance Impact

CVE-2026-35463 allows non-admin users with SETTINGS permission to execute arbitrary code and read arbitrary files on the system running pyLoad. This leads to a high impact on confidentiality, integrity, and availability of data.

Such unauthorized access and potential data breaches can violate common standards and regulations like GDPR and HIPAA, which require strict controls to protect sensitive data and prevent unauthorized system access.

Specifically, the ability to read arbitrary files and execute commands remotely could expose personal or protected health information, undermining compliance with data protection and privacy requirements.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35463 is a critical security vulnerability in pyLoad, a Python-based download manager. The issue arises because the protection mechanism that restricts modification of security-critical configuration options to admin users only applies to core configuration options but not to plugin configuration options.

Specifically, the AntiVirus plugin stores an executable path (avfile) in its configuration, which is passed directly to subprocess.Popen() without validation. A non-admin user with SETTINGS permission can change this executable path to an arbitrary command, enabling remote code execution (RCE) on the system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a non-admin user with SETTINGS permission to execute arbitrary commands on the system by modifying the AntiVirus plugin's executable path configuration. This leads to remote code execution with the privileges of the pyLoad process.

Additionally, there is an arbitrary file read vulnerability that allows such users to read sensitive files on the system by exploiting misconfigured storage folder validation.

Overall, the impact includes privilege escalation from limited SETTINGS permission to full system access, compromising confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if non-admin users with SETTINGS permission can modify the AntiVirus plugin configuration options, specifically the executable path (avfile) and its arguments (avargs).

One approach is to attempt to query or modify these plugin configuration values via the pyLoad API or interface using a non-admin user account to see if changes are permitted.

Since the vulnerability involves remote code execution via subprocess.Popen() with user-controlled input, monitoring for unusual or unexpected subprocess executions related to the AntiVirus plugin may also help detect exploitation attempts.

Specific commands depend on the environment and pyLoad setup, but example steps include:

• Use API calls or configuration commands as a non-admin user to read or set the AntiVirus plugin's 'avfile' and 'avargs' options.
• Check logs for errors or warnings about unauthorized configuration changes or subprocess executions triggered by the AntiVirus plugin.
• Monitor running processes for unexpected commands spawned by pyLoad, especially those invoking shell or bash.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting the ability of non-admin users to modify plugin configuration options, especially those related to the AntiVirus plugin's executable path and arguments.

Specifically:

• Apply the security patch that enforces admin-only restrictions on plugin configuration options, as implemented in the commit referenced in Resource 1.
• Ensure that only admin users can modify 'avfile' and 'avargs' settings in the AntiVirus plugin.
• Validate that the 'avfile' path points to a known, safe antivirus binary before it is used in subprocess calls.
• Review and tighten permissions for users with SETTINGS permission to prevent unauthorized configuration changes.
• Monitor and audit logs for any suspicious configuration changes or subprocess executions.

Useful 0 Not Useful 0