Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0775

NIXPKGS-2026-0775
published on
Permalink CVE-2026-33509
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month ago by @mweinelt Activity log
  • Created suggestion 1 month ago
  • @mweinelt ignored
    5 packages
    • python312Packages.pyloadapi
    • python313Packages.pyloadapi
    • python314Packages.pyloadapi
    • home-assistant-component-tests.pyload
    • tests.home-assistant-component-tests.pyload
    1 month ago
  • @mweinelt accepted 1 month ago
  • @mweinelt published on GitHub 1 month ago
pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration

pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.

Affected products

pyload
  • ==>= 0.4.0, < 0.5.0b3.dev97

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx