0.4.1
0.5.1
CVE-2026-33509 describes a Remote Code Execution (RCE) vulnerability in pyload-ng, a Python-based download manager. This flaw allows users with the SETTINGS permission (but not admin rights) to modify any configuration option, including the reconnect.script setting, which directly controls a file path passed to subprocess.run(). This enables an attacker to execute arbitrary code on the system. The vulnerability affects versions of pyload-ng up to and including 0.5.0b3.dev96, and a fix is available in version 0.5.0b3.dev97.
The impact of CVE-2026-33509 is severe. An attacker who can obtain the SETTINGS permission within pyload-ng can leverage this vulnerability to achieve full remote code execution on the affected system. This means they could install malware, steal sensitive data, modify system configurations, or even gain persistent access. The reconnect.script setting is particularly dangerous because it directly executes a user-controlled file path via subprocess.run(), bypassing typical security checks. The lack of validation beyond a hardcoded check for general.storage_folder makes almost all settings vulnerable. This vulnerability shares similarities with other configuration-based RCE exploits where user-controlled paths are passed to system commands without proper sanitization.
CVE-2026-33509 was published on 2026-03-20. There is no indication of this vulnerability being added to the CISA KEV catalog (as of the publication date). Public proof-of-concept (PoC) code is currently unknown, but the vulnerability's nature suggests it could be easily exploited once a PoC is developed. Active exploitation campaigns are not currently confirmed, but the ease of exploitation makes it a potential target.
Organizations and individuals using pyload-ng for download management, particularly those with multiple users or shared hosting environments, are at risk. Systems where the SETTINGS permission has been granted to non-administrative users are especially vulnerable. Legacy configurations that haven't been regularly updated are also at increased risk.
• linux / server:
journalctl -u pyload-ng | grep -i "reconnect.script"• python / supply-chain:
import os
config_path = os.path.expanduser('~/.config/pyload-ng/config.json')
with open(config_path, 'r') as f:
config = json.load(f)
if 'reconnect' in config and 'script' in config['reconnect']:
print(f"Potential vulnerability: reconnect.script set to {config['reconnect']['script']}")• generic web:
Use curl or wget to check for the existence of the /api/v1/settings/setconfigvalue endpoint. Examine the response headers for any unusual or unexpected content.
disclosure
漏洞利用状态
EPSS
0.08% (25% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-33509 is to upgrade pyload-ng to version 0.5.0b3.dev97 or later, which includes the fix. If upgrading is not immediately feasible, consider restricting the SETTINGS permission to trusted users only. Implement a Web Application Firewall (WAF) or proxy to filter requests to the setconfigvalue() API endpoint, specifically blocking attempts to modify the reconnect.script setting. Review all configuration options and ensure that any user-writable settings are properly validated and sanitized. After upgrading, verify the fix by attempting to modify the reconnect.script setting with a non-executable file and confirming that the operation fails with an appropriate error message.
Actualice pyLoad a la versión 0.5.0b3.dev97 o superior. Esta versión corrige la vulnerabilidad que permite la ejecución remota de código a través de la configuración del script de reconexión.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-33509 is a Remote Code Execution vulnerability in pyload-ng where a privileged user can modify the reconnect.script configuration to execute arbitrary code.
You are affected if you are using pyload-ng versions ≤0.5.0b3.dev96 and have users with the SETTINGS permission.
Upgrade to pyload-ng version 0.5.0b3.dev97 or later. Restrict the SETTINGS permission to trusted users as a temporary workaround.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official pyload-ng project's website or GitHub repository for the latest security advisories and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 requirements.txt 文件,立即知道是否受影响。