Scan free
HIGHCVE-2026-35463CVSS 8.8

CVE-2026-35463: RCE in pyLoad Download Manager

Platform

python

Component

pyload

Fixed in

0.5.1

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026
View on NVD
Save

CVE-2026-35463 describes a remote code execution (RCE) vulnerability in pyLoad, a free and open-source download manager written in Python. This vulnerability arises from insufficient protection of plugin configuration options, allowing unauthorized users to execute arbitrary code. It affects versions 0.5.0b3.dev96 and earlier, and a fix is expected in a future release.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock

Impact and Attack Scenarios

The vulnerability allows a user with only SETTINGS permission to execute arbitrary code on the system running pyLoad. Specifically, the AntiVirus plugin stores a path to an executable (avfile) within its configuration. This path is then directly passed to subprocess.Popen(). An attacker can modify this path to point to a malicious executable, effectively gaining remote code execution. The blast radius extends to the entire system, as the attacker can execute commands with the privileges of the pyLoad process. This could lead to data theft, system compromise, and potentially, lateral movement within the network if the pyLoad process has elevated privileges.

Exploitation Context

This vulnerability was publicly disclosed on 2026-04-07. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. It is not listed on the CISA KEV catalog at the time of writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.29% (52% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentpyload
Vendorpyload
Affected rangeFixed in
<= 0.5.0b3.dev96 – <= 0.5.0b3.dev960.5.1

Weakness Classification (CWE)

CWE-78

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 47 days since disclosure

Mitigation and Workarounds

The primary mitigation is to upgrade to a patched version of pyLoad as soon as it becomes available. Until a patch is released, consider restricting user permissions to prevent users from modifying plugin configurations. While a direct workaround is unavailable, implementing strict file system access controls can limit the attacker's ability to place malicious executables in locations accessible to the pyLoad process. Monitor the AntiVirus plugin's configuration file for unauthorized changes. After upgrading, verify the integrity of the AntiVirus plugin configuration and confirm that the executable path is set to a trusted location.

How to fix

Update pyLoad to a patched version. The vulnerability was fixed by allowing the ADMIN_ONLY_OPTIONS protection to also apply to plugin configuration options, preventing non-administrative users from executing system commands.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-35463 — RCE in pyLoad Download Manager?

CVE-2026-35463 is a remote code execution vulnerability affecting pyLoad versions 0.5.0b3.dev96 and earlier. It allows a user with SETTINGS permission to execute arbitrary code by modifying the AntiVirus plugin's executable path.

Am I affected by CVE-2026-35463 in pyLoad Download Manager?

You are affected if you are using pyLoad version 0.5.0b3.dev96 or earlier. Check your version and upgrade as soon as a patch is available.

How do I fix CVE-2026-35463 in pyLoad Download Manager?

The recommended fix is to upgrade to a patched version of pyLoad. Until a patch is released, restrict user permissions and monitor plugin configuration files.

Is CVE-2026-35463 being actively exploited?

As of the last update, there are no known public exploits or active campaigns targeting CVE-2026-35463, but vigilance is still advised.

Where can I find the official pyLoad advisory for CVE-2026-35463?

Refer to the pyLoad project's official website and communication channels for the latest advisory regarding CVE-2026-35463.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs