CVE-2026-35463
Remote Code Execution via Plugin Config in pyLoad
Publication date: 2026-04-07
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload-ng_project | pyload-ng | to 0.5.0b3.dev96 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-35463 allows non-admin users with SETTINGS permission to execute arbitrary code and read arbitrary files on the system running pyLoad. This leads to a high impact on confidentiality, integrity, and availability of data.
Such unauthorized access and potential data breaches can violate common standards and regulations like GDPR and HIPAA, which require strict controls to protect sensitive data and prevent unauthorized system access.
Specifically, the ability to read arbitrary files and execute commands remotely could expose personal or protected health information, undermining compliance with data protection and privacy requirements.
Can you explain this vulnerability to me?
CVE-2026-35463 is a critical security vulnerability in pyLoad, a Python-based download manager. The issue arises because the protection mechanism that restricts modification of security-critical configuration options to admin users only applies to core configuration options but not to plugin configuration options.
Specifically, the AntiVirus plugin stores an executable path (avfile) in its configuration, which is passed directly to subprocess.Popen() without validation. A non-admin user with SETTINGS permission can change this executable path to an arbitrary command, enabling remote code execution (RCE) on the system.
How can this vulnerability impact me? :
This vulnerability allows a non-admin user with SETTINGS permission to execute arbitrary commands on the system by modifying the AntiVirus plugin's executable path configuration. This leads to remote code execution with the privileges of the pyLoad process.
Additionally, there is an arbitrary file read vulnerability that allows such users to read sensitive files on the system by exploiting misconfigured storage folder validation.
Overall, the impact includes privilege escalation from limited SETTINGS permission to full system access, compromising confidentiality, integrity, and availability of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if non-admin users with SETTINGS permission can modify the AntiVirus plugin configuration options, specifically the executable path (avfile) and its arguments (avargs).
One approach is to attempt to query or modify these plugin configuration values via the pyLoad API or interface using a non-admin user account to see if changes are permitted.
Since the vulnerability involves remote code execution via subprocess.Popen() with user-controlled input, monitoring for unusual or unexpected subprocess executions related to the AntiVirus plugin may also help detect exploitation attempts.
Specific commands depend on the environment and pyLoad setup, but example steps include:
- Use API calls or configuration commands as a non-admin user to read or set the AntiVirus plugin's 'avfile' and 'avargs' options.
- Check logs for errors or warnings about unauthorized configuration changes or subprocess executions triggered by the AntiVirus plugin.
- Monitor running processes for unexpected commands spawned by pyLoad, especially those invoking shell or bash.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting the ability of non-admin users to modify plugin configuration options, especially those related to the AntiVirus plugin's executable path and arguments.
Specifically:
- Apply the security patch that enforces admin-only restrictions on plugin configuration options, as implemented in the commit referenced in Resource 1.
- Ensure that only admin users can modify 'avfile' and 'avargs' settings in the AntiVirus plugin.
- Validate that the 'avfile' path points to a known, safe antivirus binary before it is used in subprocess calls.
- Review and tighten permissions for users with SETTINGS permission to prevent unauthorized configuration changes.
- Monitor and audit logs for any suspicious configuration changes or subprocess executions.