Platform
python
Component
pyload
Fixed in
0.5.1
CVE-2026-35463 describes a remote code execution (RCE) vulnerability in pyLoad, a free and open-source download manager written in Python. This vulnerability arises from insufficient protection of plugin configuration options, allowing unauthorized users to execute arbitrary code. It affects versions 0.5.0b3.dev96 and earlier, and a fix is expected in a future release.
The vulnerability allows a user with only SETTINGS permission to execute arbitrary code on the system running pyLoad. Specifically, the AntiVirus plugin stores a path to an executable (avfile) within its configuration. This path is then directly passed to subprocess.Popen(). An attacker can modify this path to point to a malicious executable, effectively gaining remote code execution. The blast radius extends to the entire system, as the attacker can execute commands with the privileges of the pyLoad process. This could lead to data theft, system compromise, and potentially, lateral movement within the network if the pyLoad process has elevated privileges.
This vulnerability was publicly disclosed on 2026-04-07. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.29% (52% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of pyLoad as soon as it becomes available. Until a patch is released, consider restricting user permissions to prevent users from modifying plugin configurations. While a direct workaround is unavailable, implementing strict file system access controls can limit the attacker's ability to place malicious executables in locations accessible to the pyLoad process. Monitor the AntiVirus plugin's configuration file for unauthorized changes. After upgrading, verify the integrity of the AntiVirus plugin configuration and confirm that the executable path is set to a trusted location.
Update pyLoad to a patched version. The vulnerability was fixed by allowing the ADMIN_ONLY_OPTIONS protection to also apply to plugin configuration options, preventing non-administrative users from executing system commands.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35463 is a remote code execution vulnerability affecting pyLoad versions 0.5.0b3.dev96 and earlier. It allows a user with SETTINGS permission to execute arbitrary code by modifying the AntiVirus plugin's executable path.
You are affected if you are using pyLoad version 0.5.0b3.dev96 or earlier. Check your version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of pyLoad. Until a patch is released, restrict user permissions and monitor plugin configuration files.
As of the last update, there are no known public exploits or active campaigns targeting CVE-2026-35463, but vigilance is still advised.
Refer to the pyLoad project's official website and communication channels for the latest advisory regarding CVE-2026-35463.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.