CVE-2026-35463
Published: 07 April 2026
Summary
CVE-2026-35463 is a high-severity OS Command Injection (CWE-78) vulnerability in Pyload-Ng Project Pyload-Ng. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to restrict non-admin users with SETTINGS permission from modifying security-critical plugin configuration options like the AntiVirus executable path.
Implements least privilege to ensure SETTINGS permission does not allow changes to plugin configs that enable remote code execution via subprocess.Popen().
Restricts access to configuration change activities for plugins storing executable paths to authorized admin personnel only.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing web application (pyLoad) by low-privileged remote users via command injection in plugin configuration passed to subprocess.Popen(), directly facilitating T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter).
NVD Description
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core…
more
config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.
Deeper analysisAI
CVE-2026-35463 is a vulnerability in pyLoad, a free and open-source download manager written in Python, affecting versions 0.5.0b3.dev96 and earlier. The issue arises from the ADMIN_ONLY_OPTIONS protection mechanism, which limits access to security-critical configuration values—such as reconnect scripts, SSL certificates, and proxy credentials—to admin-only users. However, this safeguard applies only to core config options and excludes plugin config options. Specifically, the AntiVirus plugin stores an executable path (avfile) in its configuration, which is passed directly to subprocess.Popen() without additional validation.
A non-admin user with SETTINGS permission can exploit this by modifying the AntiVirus plugin's avfile path, enabling remote code execution via OS command injection (CWE-78). The attack requires low privileges over the network with low complexity and no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8), allowing the attacker to achieve high confidentiality, integrity, and availability impacts on the affected system.
The pyLoad GitHub repository details mitigation in commit c4cf995a2803bdbe388addfc2b0f323277efc0e1 and security advisory GHSA-w48f-wwwf-f5fr, published on 2026-04-07.
Details
- CWE(s)