CVE-2026-41133
Published:April 21, 2026
Updated:May 18, 2026
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache "role" and "permission" in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. Commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 contains a fix for the issue.
Affected Packages
https://github.com/pyload/pyload.git (GITHUB):
Affected version(s) >=v0.1 <https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1Fix Suggestion:
Update to version https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1pyload-ng (PYTHON):
Affected version(s) >=0.5.0a5.dev528 <0.5.0b3.dev98Fix Suggestion:
Update to version 0.5.0b3.dev98Related Resources (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Insufficient Session Expiration
EPSS
Base Score:
0.04