CVE-2026-35464
Published: 07 April 2026
Summary
CVE-2026-35464 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Pyload Pyload. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Restricts non-admin users from modifying critical configuration settings like storage_folder, directly preventing the redirection of downloads to the Flask session directory.
Enforces least privilege by ensuring low-privilege users lack SETTINGS and ADD permissions needed to exploit the configuration bypass.
Requires timely remediation of the specific flaw through patching the commit that adds storage_folder to ADMIN_ONLY_OPTIONS, eliminating the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing pyLoad web app enables network exploitation for RCE via malicious Python pickle deserialization after low-priv config manipulation.
NVD Description
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing…
more
path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.
Deeper analysisAI
CVE-2026-35464 is a vulnerability in pyLoad, a free and open-source download manager written in Python. It arises from an incomplete fix for CVE-2026-33509, which introduced an ADMIN_ONLY_OPTIONS set to restrict non-admin users from modifying security-critical configuration options. The storage_folder option is excluded from this set and bypasses path restrictions because the Flask session directory lies outside both PKGDIR and userdir. This allows non-admin users to redirect downloads to the session store and plant a malicious pickle payload as a predictable session file, enabling arbitrary code execution upon deserialization (CWE-502: Deserialization of Untrusted Data; CWE-863: Incorrect Authorization). The CVSS 3.1 base score is 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
A low-privilege user with SETTINGS and ADD permissions can exploit this vulnerability over the network. By modifying the storage_folder option, the attacker redirects downloads to the Flask filesystem session store, uploads a malicious pickle payload disguised as a predictable session file, and triggers remote code execution when any HTTP request arrives bearing the corresponding session cookie. This grants high-impact confidentiality, integrity, and availability effects, executing arbitrary code with the privileges of the pyLoad process.
The issue is addressed in commit c4cf995a2803bdbe388addfc2b0f323277efc0e1, which security practitioners should apply by updating pyLoad. GitHub Security Advisories GHSA-4744-96p5-mp2j and GHSA-r7mc-x6x7-cqxx provide further details on the vulnerability and its relation to CVE-2026-33509.
Details
- CWE(s)