CVE-2026-45306: pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad

May 14, 2026 (updated June 9, 2026)

The fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover.

References

github.com/advisories/GHSA-r7mc-x6x7-cqxx
github.com/advisories/GHSA-w727-595x-pc3r
github.com/pyload/pyload/security/advisories/GHSA-w727-595x-pc3r
nvd.nist.gov/vuln/detail/CVE-2026-45306

Code Behaviors & Features

Detect and mitigate CVE-2026-45306 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →