EUVD-2026-19736

| CVE-2026-35586 MEDIUM
2026-04-07 GitHub_M GHSA-ppvx-rwh9-7rj7
6.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch Released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 16:30 euvd
EUVD-2026-19736
Analysis Generated
Apr 07, 2026 - 16:30 vuln.today
CVE Published
Apr 07, 2026 - 16:09 nvd
MEDIUM 6.8

Tags

Python Authentication Bypass

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97.

Analysis

Privilege escalation in pyLoad prior to 0.5.0b3.dev97 allows authenticated users with SETTINGS permission to bypass admin-only protections and modify SSL certificate and key file paths due to incorrect option name mappings in the ADMIN_ONLY_CORE_OPTIONS authorization set. The vulnerability arises from name mismatches (ssl_cert/ssl_key vs. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

34
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +34
POC: 0

Share

EUVD-2026-19736 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy