29 matches found
CVE-2026-45306
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to...
CVE-2026-35464
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the...
CVE-2026-45306
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to...
CVE-2026-45306
Summary: CVE-2026-45306 affects pyLoad. Before 0.5.0b3.dev100, the fix for CVE-2026-33509 did not protect the Flask session directory (/tmp/pyLoad/flask) from a manipulated storage_folder, enabling an authenticated attacker to set storage_folder to the session directory and download other users’ ...
CVE-2026-45306 pyLoad: Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to...
CVE-2026-45306 pyLoad: Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to...
EUVD-2026-32958
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to...
pyLoad 安全漏洞
pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev100 contained security vulnerabilities. These vulnerabilities stemmed from the lack of protection for the Flask session directory during the patching of CVE-2026-33509. Authorized attackers could s...
GHSA-W727-595X-PC3R pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad
Summary The fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to the session directory and download session files of other users via /files/get/, leadi...
pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad
Summary The fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to the session directory and download session files of other users via /files/get/, leadi...
CVE-2026-35464
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the...
CVE-2026-35464 pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the...
CVE-2026-35464
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the...
CVE-2026-35464 pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the...
CVE-2026-35464
Summary: CVE-2026-35464 affects pyLoad and describes an incomplete fix for CVE-2026-33509, where a non-admin user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store and trigger arbitrary code execution via a crafted pickle payload deserialized during re...
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)
Summary The fix for CVE-2026-33509 GHSA-r7mc-x6x7-cqxx added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the Flask session directory is outside both...
GHSA-4744-96P5-MP2J pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)
Summary The fix for CVE-2026-33509 GHSA-r7mc-x6x7-cqxx added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the Flask session directory is outside both...
PT-2026-30341
Name of the Vulnerable Software and Affected Versions pyLoad affected versions not specified Description pyLoad, a Python-based download manager, has a flaw where a user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store. This allows planting a maliciou...
Exploit for CVE-2026-21994
CVE-2026-21994 Summary Oracle OKIT oci-designer-tool...
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-Flask (SUSE-SU-2026:0849-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0849-1 advisory. This update for python-Flask fixes the following issue: - CVE-2026-27205: information disclosure due to...