CVE-2026-35463

Name of the Vulnerable Software and Affected Versions pyLoad (affected versions not specified)

Description The ADMIN ONLY OPTIONS protection mechanism, intended to restrict access to sensitive configuration values, is not applied to plugin configuration options. Specifically, the AntiVirus plugin stores an executable path (avfile) in its configuration, which is then directly passed to subprocess.Popen(). A non-admin user with SETTINGS permission can modify this path to execute arbitrary code. The vulnerability also allows for arbitrary file read through manipulation of the storage folder configuration option. An attacker can set storage folder to '/' and then access files like /etc/passwd via the /files/get/ API endpoint. This results in remote code execution, potential privilege escalation, and arbitrary file read.

API Endpoints: /api/set config value, /api/add package, /files/get/ Vulnerable Parameters or Variables: avfile, avargs, storage folder, section, option, value Vulnerable Functions: scan file(), set config value()

Recommendations Apply ADMIN ONLY OPTIONS to plugin configurations. Specifically, add plugin options that control executables or paths, such as AntiVirus.avfile and AntiVirus.avargs, to the ADMIN ONLY PLUGIN OPTIONS set within the set config value() function. Alternatively, validate that the avfile parameter points to a known and trusted antivirus binary before passing it to subprocess.Popen().