CVE-2026-40594

MEDIUM EPSS 6.7%
Published Apr 21, 20262mo ago · Modified Jun 17, 20261w ago
4.8 CVSS 3.1
Medium
Find Similar
Published Apr 21, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies — either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98.

CVSS Details

Base Score
4.8
Exploitability
2.2
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability Low

Threat Intelligence

EPSS Exploit Probability
6.7% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-346

Affected Products 1

VendorProductVersionRange
pyload-ng_projectpyload-ng* <0.5.0b3.dev69

References 1

  • github.com https://github.com/pyload/pyload/security/advisories/GHSA-mp82-fmj6-f22v
    ExploitMitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.