CVE-2026-33509

Name of the Vulnerable Software and Affected Versions: pyLoad versions 0.4.0 through 0.5.0b3.dev96

Description: pyLoad, a free and open-source download manager written in Python, contains a flaw in the set config value() API endpoint. Users with the non-admin SETTINGS permission can modify any configuration option without restriction. Specifically, the reconnect.script configuration option controls a file path that is directly passed to subprocess.run() in the thread manager's reconnect logic. An attacker with SETTINGS permission can set this to any executable file on the system, leading to Remote Code Execution (RCE). The only validation in set config value() is a hardcoded check for general.storage folder, leaving other security-critical settings, including reconnect.script, writable without any allowlist or path restriction. A subsequent vulnerability allows redirecting downloads to the Flask filesystem session store, planting a malicious pickle payload, and triggering RCE via session deserialization.

Recommendations: Update to a version after 0.5.0b3.dev97. As a temporary workaround, restrict access to the set config value() API endpoint for users with SETTINGS permission. Additionally, consider restricting the storage folder configuration option to prevent session poisoning RCE.