Platform
python
Component
pyload-ng
Fixed in
0.4.1
0.5.1
CVE-2026-33509 describes a Remote Code Execution (RCE) vulnerability in pyload-ng, a Python-based download manager. This flaw allows users with the SETTINGS permission (but not admin rights) to modify any configuration option, including the reconnect.script setting, which directly controls a file path passed to subprocess.run(). This enables an attacker to execute arbitrary code on the system. The vulnerability affects versions of pyload-ng up to and including 0.5.0b3.dev96, and a fix is available in version 0.5.0b3.dev97.
The impact of CVE-2026-33509 is severe. An attacker who can obtain the SETTINGS permission within pyload-ng can leverage this vulnerability to achieve full remote code execution on the affected system. This means they could install malware, steal sensitive data, modify system configurations, or even gain persistent access. The reconnect.script setting is particularly dangerous because it directly executes a user-controlled file path via subprocess.run(), bypassing typical security checks. The lack of validation beyond a hardcoded check for general.storage_folder makes almost all settings vulnerable. This vulnerability shares similarities with other configuration-based RCE exploits where user-controlled paths are passed to system commands without proper sanitization.
CVE-2026-33509 was published on 2026-03-20. There is no indication of this vulnerability being added to the CISA KEV catalog (as of the publication date). Public proof-of-concept (PoC) code is currently unknown, but the vulnerability's nature suggests it could be easily exploited once a PoC is developed. Active exploitation campaigns are not currently confirmed, but the ease of exploitation makes it a potential target.
Exploit Status
EPSS
0.08% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33509 is to upgrade pyload-ng to version 0.5.0b3.dev97 or later, which includes the fix. If upgrading is not immediately feasible, consider restricting the SETTINGS permission to trusted users only. Implement a Web Application Firewall (WAF) or proxy to filter requests to the setconfigvalue() API endpoint, specifically blocking attempts to modify the reconnect.script setting. Review all configuration options and ensure that any user-writable settings are properly validated and sanitized. After upgrading, verify the fix by attempting to modify the reconnect.script setting with a non-executable file and confirming that the operation fails with an appropriate error message.
Update pyLoad to version 0.5.0b3.dev97 or higher. This version fixes the vulnerability that allows remote code execution through the reconnect script configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33509 is a Remote Code Execution vulnerability in pyload-ng where a privileged user can modify the reconnect.script configuration to execute arbitrary code.
You are affected if you are using pyload-ng versions ≤0.5.0b3.dev96 and have users with the SETTINGS permission.
Upgrade to pyload-ng version 0.5.0b3.dev97 or later. Restrict the SETTINGS permission to trusted users as a temporary workaround.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official pyload-ng project's website or GitHub repository for the latest security advisories and updates.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.