Skip to main content

Download Manager CVE-2026-39676

| EUVD-2026-20355 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-q462-ghxj-5ffx
Authentication Bypass Download Manager
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20355
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Shahjada Download Manager download-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a through <= 3.3.52.

AnalysisAI

Remote unauthenticated attackers can bypass access controls in Shahjada Download Manager through version 3.3.52, gaining unauthorized read access to restricted download content due to missing authorization checks. The vulnerability affects all versions up to and including 3.3.52, with an EPSS exploitation probability of 0.02% (4th percentile) indicating minimal real-world risk despite the network-accessible attack vector. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment Despite the network-accessible attack vector and low complexity (CVSS 5.3, Medium severity), real-world risk is considerably low based on multiple signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker could directly request download endpoints for restricted files protected by the Download Manager plugin. Due to missing authorization validation, the attacker would receive the file content or metadata without supplying valid credentials, allowing enumeration and exfiltration of documents intended to be restricted (e.g., premium content, private reports, or subscriber-only materials). …
Remediation Update Shahjada Download Manager to the latest available version above 3.3.52. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39676 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy