Nixpkgs security tracker
NIXPKGS-2026-1044
GitHub issue
published on
Permalink
CVE-2026-40071
5.4 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): LOW
- Availability impact (A): LOW
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
5 packages
- tests.home-assistant-component-tests.pyload
- home-assistant-component-tests.pyload
- python314Packages.pyloadapi
- python313Packages.pyloadapi
- python312Packages.pyloadapi
- @LeSuisse accepted
- @LeSuisse published on GitHub
pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97.
References
-
https://github.com/pyload/pyload/security/advisories/GHSA-rfgh-63mg-8pwm x_refsource_CONFIRM
Affected products
pyload
- ==< 0.5.0b3.dev97
Matching in nixpkgs
pkgs.pyload-ng
Free and open-source download manager with support for 1-click-hosting sites
-
nixos-25.11 0.5.0b3.dev88
- nixos-25.11-small 0.5.0b3.dev88
- nixpkgs-25.11-darwin 0.5.0b3.dev88
Ignored packages (5)
pkgs.python312Packages.pyloadapi
Simple wrapper for pyLoad's API
pkgs.python313Packages.pyloadapi
Simple wrapper for pyLoad's API
pkgs.python314Packages.pyloadapi
Simple wrapper for pyLoad's API
pkgs.home-assistant-component-tests.pyload
Open source home automation that puts local control and privacy first
pkgs.tests.home-assistant-component-tests.pyload
Open source home automation that puts local control and privacy first
Package maintainers
-
@ruby0b ruby0b