Platform
python
Component
pyload-ng
Opgelost in
0.5.1
0.5.1
CVE-2026-35464 describes an Arbitrary File Access vulnerability discovered in pyload-ng, a Python download manager. This flaw allows authenticated users with specific permissions to redirect downloads and potentially execute arbitrary code by exploiting the Flask session store. The vulnerability affects versions of pyload-ng up to and including 0.5.0b3, and a fix is available in version 0.5.0b3.dev96.
The core of this vulnerability lies in the insufficient restriction of the storagefolder option within pyload-ng's configuration. While a previous fix (CVE-2026-33509) aimed to restrict admin-only options, the storagefolder was inadvertently omitted. An attacker with SETTINGS and ADD permissions can leverage this oversight to redirect downloads to the Flask filesystem session store. By planting a malicious pickle payload as a predictable session file, they can trigger arbitrary code execution upon any subsequent HTTP request containing the corresponding session cookie. This represents a significant escalation of privilege, potentially granting an attacker complete control over the system running pyload-ng.
This vulnerability was publicly disclosed on 2026-04-04. There is currently no indication of active exploitation campaigns targeting CVE-2026-35464. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests it could be relatively straightforward to exploit once a POC is developed. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Organizations and individuals utilizing pyload-ng for download management, particularly those with multiple users and less stringent access controls, are at risk. Shared hosting environments where multiple users share the same pyload-ng instance are especially vulnerable, as an attacker could potentially compromise the entire environment through a single user account.
• python / server:
import os
import pickle
# Check for unusual files in the Flask session directory
session_dir = '/path/to/your/pyload-ng/flask_session'
for filename in os.listdir(session_dir):
if filename.endswith('.pkl'):
print(f"Suspicious pickle file found: {session_dir}/{filename}")• python / server:
# Monitor for unusual processes accessing the Flask session directory
ps aux | grep 'pickle' | grep '/path/to/your/pyload-ng/flask_session'disclosure
Exploit Status
EPSS
0.09% (26% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-35464 is to immediately upgrade pyload-ng to version 0.5.0b3.dev96 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing stricter access controls to limit the users who possess SETTINGS and ADD permissions. While not a complete solution, carefully reviewing and restricting user privileges can reduce the attack surface. Monitor the Flask session directory for unexpected files or modifications. There are no specific WAF rules or Sigma/YARA patterns readily available for this specific vulnerability, but general pickle deserialization detection rules may provide some level of protection.
Actualice pyLoad a la versión 0.5.0b3.dev96 o superior para mitigar la vulnerabilidad. La actualización corrige la falta de protección en la opción 'storage_folder', previniendo la ejecución arbitraria de código a través de la tienda de sesiones de Flask.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-35464 is a HIGH severity vulnerability in pyload-ng versions up to 0.5.0b3 that allows attackers to redirect downloads and potentially execute arbitrary code by manipulating session files.
You are affected if you are using pyload-ng version 0.5.0b3 or earlier. Upgrade to 0.5.0b3.dev96 or later to resolve the vulnerability.
Upgrade pyload-ng to version 0.5.0b3.dev96 or later. If upgrading is not immediately possible, restrict user permissions to minimize the attack surface.
There is currently no indication of active exploitation campaigns targeting CVE-2026-35464, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is developed.
Refer to the pyload-ng project's official website and GitHub repository for the latest security advisories and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.