Platform
python
Component
pyload-ng
Fixed in
0.5.1
0.5.1
CVE-2026-35464 describes an Arbitrary File Access vulnerability discovered in pyload-ng, a Python download manager. This flaw allows authenticated users with specific permissions to redirect downloads and potentially execute arbitrary code by exploiting the Flask session store. The vulnerability affects versions of pyload-ng up to and including 0.5.0b3, and a fix is available in version 0.5.0b3.dev96.
The core of this vulnerability lies in the insufficient restriction of the storagefolder option within pyload-ng's configuration. While a previous fix (CVE-2026-33509) aimed to restrict admin-only options, the storagefolder was inadvertently omitted. An attacker with SETTINGS and ADD permissions can leverage this oversight to redirect downloads to the Flask filesystem session store. By planting a malicious pickle payload as a predictable session file, they can trigger arbitrary code execution upon any subsequent HTTP request containing the corresponding session cookie. This represents a significant escalation of privilege, potentially granting an attacker complete control over the system running pyload-ng.
This vulnerability was publicly disclosed on 2026-04-04. There is currently no indication of active exploitation campaigns targeting CVE-2026-35464. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests it could be relatively straightforward to exploit once a POC is developed. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35464 is to immediately upgrade pyload-ng to version 0.5.0b3.dev96 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing stricter access controls to limit the users who possess SETTINGS and ADD permissions. While not a complete solution, carefully reviewing and restricting user privileges can reduce the attack surface. Monitor the Flask session directory for unexpected files or modifications. There are no specific WAF rules or Sigma/YARA patterns readily available for this specific vulnerability, but general pickle deserialization detection rules may provide some level of protection.
Update pyLoad to version 0.5.0b3.dev96 or higher to mitigate the vulnerability. The update corrects the lack of protection in the 'storage_folder' option, preventing arbitrary code execution through the Flask session store.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35464 is a HIGH severity vulnerability in pyload-ng versions up to 0.5.0b3 that allows attackers to redirect downloads and potentially execute arbitrary code by manipulating session files.
You are affected if you are using pyload-ng version 0.5.0b3 or earlier. Upgrade to 0.5.0b3.dev96 or later to resolve the vulnerability.
Upgrade pyload-ng to version 0.5.0b3.dev96 or later. If upgrading is not immediately possible, restrict user permissions to minimize the attack surface.
There is currently no indication of active exploitation campaigns targeting CVE-2026-35464, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is developed.
Refer to the pyload-ng project's official website and GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.