{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33509", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:59:08.889Z", "datePublished": "2026-03-24T18:55:37.033Z", "dateUpdated": "2026-03-26T19:52:12.902Z"}, "containers": {"cna": {"title": "pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": ">= 0.4.0, < 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:55:37.033Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder \u2014 all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97."}], "source": {"advisory": "GHSA-r7mc-x6x7-cqxx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33509", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:33:56.387911Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:12.902Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB32D0BF-DFC8-436B-9CE6-58734DFE7153", "versionEndIncluding": "0.4.20", "versionStartIncluding": "0.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "matchCriteriaId": "FCF4830F-E848-4F80-AB82-2040E219E677", "versionEndExcluding": "0.5.0b3.dev97", "versionStartIncluding": "0.5.0a5.dev528", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder \u2014 all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97."}, {"lang": "es", "value": "pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto escrito en Python. Desde la versi\u00f3n 0.4.0 hasta antes de la versi\u00f3n 0.5.0b3.dev97, el endpoint de la API set_config_value() permite a los usuarios con el permiso SETTINGS (no-administrador) modificar cualquier opci\u00f3n de configuraci\u00f3n sin restricci\u00f3n. La opci\u00f3n de configuraci\u00f3n reconnect.script controla una ruta de archivo que se pasa directamente a subprocess.run() en la l\u00f3gica de reconexi\u00f3n del gestor de hilos. Un usuario con permiso SETTINGS puede establecer esto a cualquier archivo ejecutable en el sistema, logrando la ejecuci\u00f3n remota de c\u00f3digo. La \u00fanica validaci\u00f3n en set_config_value() es una comprobaci\u00f3n codificada para general.storage_folder \u2014 todas las dem\u00e1s configuraciones cr\u00edticas de seguridad, incluyendo reconnect.script, son escribibles sin ninguna lista blanca o restricci\u00f3n de ruta. Este problema ha sido parcheado en la versi\u00f3n 0.5.0b3.dev97."}], "id": "CVE-2026-33509", "lastModified": "2026-03-26T20:47:02.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T20:16:30.053", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0.4.0,0.5.0b3.dev97)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-03-24T20:23:56.471347+00:00", "value": {"mitigation_remediation": ["Update pyload to version 0.5.0b3.dev97 or later.", "Remove or restrict the SETTINGS permission from all non-admin users.", "Verify that the reconnect.script configuration is set to a safe value or blank.", "Audit running processes for unexpected subprocess execution from pyload.", "If an update cannot be applied immediately, disable the set_config_value endpoint or block external access to it."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All pyload releases from version 0.4.0 up to, but not including, 0.5.0b3.dev97 are affected. The issue was fixed in release 0.5.0b3.dev97 and later versions. Users running older builds should verify that the reconnect.script configuration is not set to executable content and that non-admin users do not possess SETTINGS permission.", "description_and_impact": "The vulnerability resides in the set_config_value API of the pyload download manager. Any user granted the non-admin SETTINGS permission can alter any configuration key, including reconnect.script, which is passed unvalidated directly to subprocess.run() when the thread manager reconnects. By setting reconnect.script to an arbitrary executable, the attacker can launch code on the host. This yields full remote code execution on the system where pyload runs, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score for this flaw is 7.5, indicating a high severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication with SETTINGS permission, but does not require administrative privileges. An attacker can exploit the vulnerable endpoint remotely by sending a crafted request to set_config_value, which the server processes without sufficient validation. Once exploited, arbitrary executable code runs with the privileges of the pyload process."}}}}, "created": "2026-03-25T11:46:26.680974+00:00", "updated": "2026-03-25T20:57:52.172163+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}