Is CVE-2026-40071 actively exploited?

CVE-2026-40071 has no public evidence of in-the-wild exploitation as of 2026-04-28.

What is the CVSS score for CVE-2026-40071?

CVE-2026-40071 has a CVSS score of 5.4 (MEDIUM severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L.

How do I patch CVE-2026-40071?

Patch guidance is available from pyload security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-40071.

CVE-2026-40071 - remediation guidance & executive summary

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: low
Weaknesses: CWE-863 · Incorrect Authorization

Metadata

Primary Vendor: PYLOAD
Published: 4/9/2026
Last Modified: 4/28/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2026-40071

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary