CVE-2026-35463 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 7, 2026
pyLoad - Command Injection
Overview
pyLoad <= 0.5.0b3.dev96 contains a command injection caused by insufficient protection on plugin config options, letting non-admin users with SETTINGS permission execute arbitrary code via subprocess.Popen(), exploit requires SETTINGS permission.
Severity & Score
Impact
Non-admin users with SETTINGS permission can execute arbitrary code remotely, potentially compromising the system.
Mitigation
Update to the latest version where plugin config options are properly protected.
References
Social Media Activity(2 posts)
š CVE-2026-35463 - High (8.8) pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to ad... š https://www.thehackerwire.com/vulnerability/CVE-2026-35463/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-35463 - High (8.8) pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to ad... š https://www.thehackerwire.com/vulnerability/CVE-2026-35463/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-35463
- Severity
- High
- CVSS Score
- 8.8
- Type
- command_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H