Nixpkgs security tracker

Untriaged

Permalink CVE-2026-35464

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 week ago

pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.

References

https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j x_refsource_CONFIRM
https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx x_refsource_MISC
https://github.com/pyload/pyload/commit/c4cf995a2803bdbe388addfc2b0f323277efc0e1 x_refsource_MISC
https://www.cve.org/CVERecord?id=CVE-2026-33509 x_refsource_MISC
https://github.com/pyload/pyload/security/advisories/GHSA-4744-96p5-mp2j exploit

Affected products

pyload

==<= 0.5.0b3.dev96

Matching in nixpkgs

pkgs.pyload-ng

Free and open-source download manager with support for 1-click-hosting sites

nixos-unstable 0.5.0b3.dev88
nixos-25.11 0.5.0b3.dev88
- nixos-25.11-small 0.5.0b3.dev88
- nixpkgs-25.11-darwin 0.5.0b3.dev88

pkgs.python312Packages.pyloadapi

Simple wrapper for pyLoad's API

nixos-25.11 1.4.2
- nixos-25.11-small 1.4.2
- nixpkgs-25.11-darwin 1.4.2

pkgs.python313Packages.pyloadapi

Simple wrapper for pyLoad's API

nixos-unstable 1.4.2
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 1.4.2
- nixos-25.11-small 1.4.2
- nixpkgs-25.11-darwin 1.4.2

pkgs.python314Packages.pyloadapi

Simple wrapper for pyLoad's API

nixos-unstable 1.4.2
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.home-assistant-component-tests.pyload

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.pyload

Open source home automation that puts local control and privacy first

nixos-unstable 2026.3.4
- nixpkgs-unstable 2026.4.1
- nixos-unstable-small 2026.4.1

Package maintainers

@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@ruby0b ruby0b

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.pyload-ng

pkgs.python312Packages.pyloadapi

pkgs.python313Packages.pyloadapi

pkgs.python314Packages.pyloadapi

pkgs.home-assistant-component-tests.pyload

pkgs.tests.home-assistant-component-tests.pyload

Package maintainers