CVE-2026-35586

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev97

Description pyLoad, a download manager written in Python, had an authorization issue in the set config value() function. The ADMIN ONLY CORE OPTIONS check used incorrect option names (ssl cert and ssl key) instead of the actual configuration option names (ssl certfile and ssl keyfile). This mismatch allowed users with SETTINGS permission to overwrite the SSL certificate and key file paths, bypassing the intended admin-only restriction. The ssl certchain option was also not included in the admin-only check.

Recommendations Update to version 0.5.0b3.dev97 or later.