CVE-2026-35464

Name of the Vulnerable Software and Affected Versions pyLoad (affected versions not specified)

Description pyLoad, a Python-based download manager, has a flaw where a user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store. This allows planting a malicious pickle payload as a predictable session file, triggering arbitrary code execution when any HTTP request arrives with the corresponding session cookie. The vulnerability stems from the storage folder option not being included in the ADMIN ONLY OPTIONS set, bypassing path restrictions. The Flask session directory is outside the restricted paths (PKGDIR and userdir). This is an incomplete fix for a prior issue. The vulnerability allows arbitrary file write to the Flask session store, leading to remote code execution (RCE). The RCE trigger is unauthenticated.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.