GHSA-4744-96P5-MP2J pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)
Summary The fix for CVE-2026-33509 GHSA-r7mc-x6x7-cqxx added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the Flask session directory is outside both...