EUVD-2026-20998

| CVE-2026-40071 MEDIUM
2026-04-09 GitHub_M
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 09, 2026 - 18:15 euvd
EUVD-2026-20998
Analysis Generated
Apr 09, 2026 - 18:15 vuln.today
CVE Published
Apr 09, 2026 - 17:36 nvd
MEDIUM 5.4

Tags

Authentication Bypass Python

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97.

Analysis

Authenticated privilege escalation in pyLoad's WebUI JSON endpoints (/json/package_order, /json/link_order, /json/abort_link) allows low-privileged users to perform unauthorized MODIFY operations that violate the application's permission model. Versions prior to 0.5.0b3.dev97 are affected; the vulnerability requires valid authentication but enables privilege boundary bypass without requiring elevated credentials.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Share

EUVD-2026-20998 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy