NIXPKGS-2026-0775

GitHub issue published 2 months, 2 weeks ago

Permalink CVE-2026-33509

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 2 months, 2 weeks ago by @mweinelt Activity log

Created suggestion 2 months, 2 weeks ago
@mweinelt ignored
5 packages
- python312Packages.pyloadapi
- python313Packages.pyloadapi
- python314Packages.pyloadapi
- home-assistant-component-tests.pyload
- tests.home-assistant-component-tests.pyload
2 months, 2 weeks ago
@mweinelt accepted 2 months, 2 weeks ago
@mweinelt published on GitHub 2 months, 2 weeks ago

pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration

pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.

References

https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx x_refsource_CONFIRM

Affected products

pyload

==>= 0.4.0, < 0.5.0b3.dev97

Matching in nixpkgs

pkgs.pyload-ng

Free and open-source download manager with support for 1-click-hosting sites

nixos-unstable 0.5.0b3.dev88
- nixpkgs-unstable 0.5.0b3.dev88
- nixos-unstable-small 0.5.0b3.dev88

Ignored packages (5)

pkgs.python312Packages.pyloadapi

None

pkgs.python313Packages.pyloadapi

Simple wrapper for pyLoad's API

nixos-unstable 1.4.2
- nixpkgs-unstable 1.4.2
- nixos-unstable-small 1.4.2

pkgs.python314Packages.pyloadapi

Simple wrapper for pyLoad's API

nixos-unstable 1.4.2
- nixpkgs-unstable 1.4.2
- nixos-unstable-small 1.4.2

pkgs.home-assistant-component-tests.pyload

None

pkgs.tests.home-assistant-component-tests.pyload

Open source home automation that puts local control and privacy first

nixos-unstable 2026.3.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.3.3

Package maintainers

@ruby0b ruby0b

Upstream advisory: https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0775