{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33509", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:59:08.889Z", "datePublished": "2026-03-24T18:55:37.033Z", "dateUpdated": "2026-03-26T19:52:12.902Z"}, "containers": {"cna": {"title": "pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": ">= 0.4.0, < 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:55:37.033Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder \u2014 all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97."}], "source": {"advisory": "GHSA-r7mc-x6x7-cqxx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33509", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:33:56.387911Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:12.902Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33509", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:33:56.387911Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:51:20.432Z"}}], "cna": {"title": "pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration", "source": {"advisory": "GHSA-r7mc-x6x7-cqxx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"status": "affected", "version": ">= 0.4.0, < 0.5.0b3.dev97"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder \u2014 all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:55:37.033Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33509", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:12.902Z", "dateReserved": "2026-03-20T16:59:08.889Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T18:55:37.033Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB32D0BF-DFC8-436B-9CE6-58734DFE7153", "versionEndIncluding": "0.4.20", "versionStartIncluding": "0.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "matchCriteriaId": "FCF4830F-E848-4F80-AB82-2040E219E677", "versionEndExcluding": "0.5.0b3.dev97", "versionStartIncluding": "0.5.0a5.dev528", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder \u2014 all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97."}, {"lang": "es", "value": "pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto escrito en Python. Desde la versi\u00f3n 0.4.0 hasta antes de la versi\u00f3n 0.5.0b3.dev97, el endpoint de la API set_config_value() permite a los usuarios con el permiso SETTINGS (no-administrador) modificar cualquier opci\u00f3n de configuraci\u00f3n sin restricci\u00f3n. La opci\u00f3n de configuraci\u00f3n reconnect.script controla una ruta de archivo que se pasa directamente a subprocess.run() en la l\u00f3gica de reconexi\u00f3n del gestor de hilos. Un usuario con permiso SETTINGS puede establecer esto a cualquier archivo ejecutable en el sistema, logrando la ejecuci\u00f3n remota de c\u00f3digo. La \u00fanica validaci\u00f3n en set_config_value() es una comprobaci\u00f3n codificada para general.storage_folder \u2014 todas las dem\u00e1s configuraciones cr\u00edticas de seguridad, incluyendo reconnect.script, son escribibles sin ninguna lista blanca o restricci\u00f3n de ruta. Este problema ha sido parcheado en la versi\u00f3n 0.5.0b3.dev97."}], "id": "CVE-2026-33509", "lastModified": "2026-03-26T20:47:02.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T20:16:30.053", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0.4.0,0.5.0b3.dev97)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-03-26T22:39:17.469873+00:00", "value": {"mitigation_remediation": ["Upgrade pyLoad to version 0.5.0b3.dev97 or later.", "Ensure that the SETTINGS permission group has no write access to configuration values.", "If an upgrade is not feasible, revoke or remove the SETTINGS permission from all users.", "Restart the pyLoad service to apply the changes."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects pyLoad (pyload\u2011ng project) versions from 0.4.0 up to, but not including, 0.5.0b3.dev97. No other vendors are listed. The patch was released in 0.5.0b3.dev97.", "description_and_impact": "Non\u2011admin SETTINGS users can modify any configuration via the set_config_value API in pyLoad. The vulnerable setting, reconnect.script, is passed directly to subprocess.run without validation, allowing an attacker to run arbitrary executables. This missing access control flaw enables remote code execution, a high\u2011severity weakness classified as CWE\u2011269.", "risk_and_exploitability": "CVSS 7.5 indicates high severity; EPSS is <1%, so exploitation probability is low but still significant. The vulnerability is not in CISA\u2019s KEV catalog. A user possessing the SETTINGS role\u2014typically a regular user\u2014can trigger the flaw via authenticated API calls. By specifying any executable path in reconnect.script, the attacker can run code on the system, compromising confidentiality, integrity, and availability. The likely attack vector is authenticated local or remote access depending on how pyLoad is deployed."}}}}, "created": "2026-03-25T11:46:26.680974+00:00", "updated": "2026-03-27T09:20:42.161839+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}