VIR Vulnerability Intelligence Relay

CVE-2026-40594

medium
Published 2026-04-21 · Modified 2026-05-20
CVSS v3
4.8
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
CVSS v2
VIR risk
4.8

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies — either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98.

Predictions

Exploit likelihood
58%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/pyload/pyload/security/advisories/GHSA-mp82-fmj6-f22v

Package impact
EcosystemPackageVulnerableFixed
python PyPIpyload-ng<0.5.0b3.dev980.5.0b3.dev98
python PyPIpyload-ng<0.5.0b3.dev690.5.0b3.dev69

Application impact
VendorProductVersionsFixed
pyload-ng_projectpyload-ng{"endExcluding":"0.5.0b3.dev69"}0.5.0b3.dev69

References

CWEs

CWE-346

Verify integrity in audit chain (admin only). AS-IS.