CVE-2026-40071

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev97

Description Certain WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke, allowing authenticated low-privileged users to execute MODIFY operations that should be denied by the permission model. Specifically, users with ADD permissions can reorder packages and files via endpoints '/json/package order' and '/json/link order', while users with DELETE permissions can abort downloads via '/json/abort link'. This occurs because these endpoints call core API functions order package(), order file(), and stop downloads(), which normally require MODIFY permissions, but the endpoints themselves use weaker authorization checks.

Recommendations Update to version 0.5.0b3.dev97.