CVE-2026-40594

4.8 MEDIUM
Published: April 21, 2026 Modified: April 27, 2026
View on NVD

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies — either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/pyload/pyload/security/advisories/GHSA-mp82-fmj6-f22v
Source: security-advisories@github.com
Exploit Mitigation Vendor Advisory
https://github.com/pyload/pyload/security/advisories/GHSA-mp82-fmj6-f22v
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit Mitigation Vendor Advisory

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.8 / 10.0
EPSS (Exploit Probability)
0.2%
7th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

Affected Vendors

pyload-ng_project