Vulnerability DatabaseCVE-2026-35586
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-35586
Published:April 07, 2026
Updated:April 20, 2026
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with SETTINGS permission to overwrite the SSL certificate and key file paths. Additionally, the ssl_certchain option was never added to the admin-only set at all. This vulnerability is fixed in 0.5.0b3.dev97.
Affected Packages
pyload-ng (PYTHON):
Affected version(s) >=0.5.0a5.dev528 <0.5.0b3.dev97
Fix Suggestion:
Update to version 0.5.0b3.dev97
Related ResourcesĀ (3)
https://nvd.nist.gov/vuln/detail/CVE-2026-35586
https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7
https://github.com/pyload/pyload
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.8
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Incorrect Authorization
CWE-863
EPSS
Base Score:
0.02