CVE-2026-35463

HighPublic PoC

Published: 07 April 2026

Published

07 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core…

config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to restrict non-admin users with SETTINGS permission from modifying security-critical plugin configuration options like the AntiVirus executable path.

AC-6 Least Privilege good match

prevent

Implements least privilege to ensure SETTINGS permission does not allow changes to plugin configs that enable remote code execution via subprocess.Popen().

CM-5 Access Restrictions for Change good match

prevent

Restricts access to configuration change activities for plugins storing executable paths to authorized admin personnel only.

Security SummaryAI

CVE-2026-35463 is a vulnerability in pyLoad, a free and open-source download manager written in Python, affecting versions 0.5.0b3.dev96 and earlier. The issue arises from the ADMIN_ONLY_OPTIONS protection mechanism, which limits access to security-critical configuration values—such as reconnect scripts, SSL certificates, and proxy credentials—to admin-only users. However, this safeguard applies only to core config options and excludes plugin config options. Specifically, the AntiVirus plugin stores an executable path (avfile) in its configuration, which is passed directly to subprocess.Popen() without additional validation.

A non-admin user with SETTINGS permission can exploit this by modifying the AntiVirus plugin's avfile path, enabling remote code execution via OS command injection (CWE-78). The attack requires low privileges over the network with low complexity and no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8), allowing the attacker to achieve high confidentiality, integrity, and availability impacts on the affected system.

The pyLoad GitHub repository details mitigation in commit c4cf995a2803bdbe388addfc2b0f323277efc0e1 and security advisory GHSA-w48f-wwwf-f5fr, published on 2026-04-07.

Details

CWE(s): CWE-78

Affected Products

pyload-ng project

pyload-ng

≤ 0.5.0b3.dev96

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

The vulnerability enables exploitation of a public-facing web application (pyLoad) by low-privileged remote users via command injection in plugin configuration passed to subprocess.Popen(), directly facilitating T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1
Patch · security-advisories@github.com
https://github.com/pyload/pyload/security/advisories/GHSA-w48f-wwwf-f5fr
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com