CVE-2026-45306

Name of the Vulnerable Software and Affected Versions pyLoad (affected versions not specified)

Description An authenticated attacker with administrative privileges can achieve account takeover by stealing session files of other users. The issue arises because the software fails to block the storage folder variable from being set to the Flask session directory, typically located at '/tmp/pyLoad/flask'. By setting the storage folder to this path, an attacker can use the '/files/get/' endpoint to download session files, allowing them to impersonate other users.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.