CVE-2026-45306

Published: Mag 28, 2026 Last Modified: Mag 28, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,5

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: high

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover. This vulnerability is fixed in 0.5.0b3.dev100.

706

Use of Incorrectly-Resolved Name or Reference

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity

Potential Impacts:

Read Application Data Modify Application Data

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/pyload/pyload/security/advisories/GHSA-w…

https://github.com/pyload/pyload/security/advisories/GHSA-w727-595x-pc3r

CVE-2026-45306

Description

Use of Incorrectly-Resolved Name or Reference

Common Consequences

Applicable Platforms

Iscriviti alla newsletter