Plattform
python
Komponente
pyload-ng
Behoben in
0.4.1
0.5.1
CVE-2026-33509 describes a Remote Code Execution (RCE) vulnerability in pyload-ng, a Python-based download manager. This flaw allows users with the SETTINGS permission (but not admin rights) to modify any configuration option, including the reconnect.script setting, which directly controls a file path passed to subprocess.run(). This enables an attacker to execute arbitrary code on the system. The vulnerability affects versions of pyload-ng up to and including 0.5.0b3.dev96, and a fix is available in version 0.5.0b3.dev97.
The impact of CVE-2026-33509 is severe. An attacker who can obtain the SETTINGS permission within pyload-ng can leverage this vulnerability to achieve full remote code execution on the affected system. This means they could install malware, steal sensitive data, modify system configurations, or even gain persistent access. The reconnect.script setting is particularly dangerous because it directly executes a user-controlled file path via subprocess.run(), bypassing typical security checks. The lack of validation beyond a hardcoded check for general.storage_folder makes almost all settings vulnerable. This vulnerability shares similarities with other configuration-based RCE exploits where user-controlled paths are passed to system commands without proper sanitization.
CVE-2026-33509 was published on 2026-03-20. There is no indication of this vulnerability being added to the CISA KEV catalog (as of the publication date). Public proof-of-concept (PoC) code is currently unknown, but the vulnerability's nature suggests it could be easily exploited once a PoC is developed. Active exploitation campaigns are not currently confirmed, but the ease of exploitation makes it a potential target.
Organizations and individuals using pyload-ng for download management, particularly those with multiple users or shared hosting environments, are at risk. Systems where the SETTINGS permission has been granted to non-administrative users are especially vulnerable. Legacy configurations that haven't been regularly updated are also at increased risk.
• linux / server:
journalctl -u pyload-ng | grep -i "reconnect.script"• python / supply-chain:
import os
config_path = os.path.expanduser('~/.config/pyload-ng/config.json')
with open(config_path, 'r') as f:
config = json.load(f)
if 'reconnect' in config and 'script' in config['reconnect']:
print(f"Potential vulnerability: reconnect.script set to {config['reconnect']['script']}")• generic web:
Use curl or wget to check for the existence of the /api/v1/settings/setconfigvalue endpoint. Examine the response headers for any unusual or unexpected content.
disclosure
Exploit-Status
EPSS
0.08% (25% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33509 is to upgrade pyload-ng to version 0.5.0b3.dev97 or later, which includes the fix. If upgrading is not immediately feasible, consider restricting the SETTINGS permission to trusted users only. Implement a Web Application Firewall (WAF) or proxy to filter requests to the setconfigvalue() API endpoint, specifically blocking attempts to modify the reconnect.script setting. Review all configuration options and ensure that any user-writable settings are properly validated and sanitized. After upgrading, verify the fix by attempting to modify the reconnect.script setting with a non-executable file and confirming that the operation fails with an appropriate error message.
Actualice pyLoad a la versión 0.5.0b3.dev97 o superior. Esta versión corrige la vulnerabilidad que permite la ejecución remota de código a través de la configuración del script de reconexión.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33509 is a Remote Code Execution vulnerability in pyload-ng where a privileged user can modify the reconnect.script configuration to execute arbitrary code.
You are affected if you are using pyload-ng versions ≤0.5.0b3.dev96 and have users with the SETTINGS permission.
Upgrade to pyload-ng version 0.5.0b3.dev97 or later. Restrict the SETTINGS permission to trusted users as a temporary workaround.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official pyload-ng project's website or GitHub repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.