Is CVE-2026-35463 actively exploited?

CVE-2026-35463 has no public evidence of in-the-wild exploitation as of 2026-04-24.

What is the CVSS score for CVE-2026-35463?

CVE-2026-35463 has a CVSS score of 8.8 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2026-35463?

Patch guidance is available from pyload-ng project security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-35463.

Which products are affected by CVE-2026-35463?

1 product: pyload-ng project pyload-ng.

Fix CVE-2026-35463 - HIGH pyload-ng project pyload-ng

Description

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an executable path (avfile) in its config, which is passed directly to subprocess.Popen(). A non-admin user with SETTINGS permission can change this path to achieve remote code execution.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-78 · OS Command Injection

Metadata

Primary Vendor: PYLOAD-NG_PROJECT
Published: 4/7/2026
Last Modified: 4/24/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

pyload-ng_project : pyload-ng

Remediation Guidance

Executive Summary

Cite this page

CVE-2026-35463. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-35463

View on NIST NVD

CVE-2026-35463 vulnerability