CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-40594

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies — either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 0.5%

CVSS Severity

CVSS v3 Score 4.8

References

Products affected by CVE-2026-40594

Pyload-Ng Project » Pyload-Ng » Version: N/A

cpe:2.3:a:pyload-ng_project:pyload-ng:-
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev528

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev528
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev532

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev532
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev535

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev535
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev536

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev536
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev537

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev537
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev539

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev539
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev540

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev540
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev545

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev545
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev562

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev562
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev564

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev564
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev565

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev565
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a6.dev570

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev570
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a6.dev578

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev578
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a6.dev587

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev587
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a7.dev596

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a7.dev596
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a8.dev602

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a8.dev602
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev615

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev615
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev629

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev629
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev632

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev632
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev641

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev641
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev643

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev643
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev655

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev655
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev806

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev806
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b1.dev1

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev1
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b1.dev2

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev2
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b1.dev3

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev3
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b1.dev4

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev4
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b1.dev5

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev5
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b2.dev10

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev10
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b2.dev11

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev11
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b2.dev12

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev12
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b2.dev9

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev9
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev13

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev13
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev14

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev14
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev17

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev17
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev18

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev18
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev19

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev19
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev20

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev20
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev21

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev21
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev22

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev22
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev24

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev24
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev26

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev26
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev27

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev27
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev28

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev28
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev29

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev29
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev30

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev30
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev31

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev31
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev32

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev32
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev33

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev33
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev34

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev34
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev35

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev35
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev38

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev38
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev39

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev39
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev40

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev40
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev41

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev41
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev42

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev42
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev43

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev43
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev44

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev44
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev45

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev45
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev46

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev46
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev47

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev47

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-40594

Products

Pricing

Contact Us