Vulnerability Details CVE-2026-41133
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. Commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1 contains a fix for the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 10.5%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2026-41133
-
cpe:2.3:a:pyload:pyload:-
-
cpe:2.3:a:pyload:pyload:0.1
-
cpe:2.3:a:pyload:pyload:0.1.1
-
cpe:2.3:a:pyload:pyload:0.2
-
cpe:2.3:a:pyload:pyload:0.2.1
-
cpe:2.3:a:pyload:pyload:0.2.2
-
cpe:2.3:a:pyload:pyload:0.3
-
cpe:2.3:a:pyload:pyload:0.3.1
-
cpe:2.3:a:pyload:pyload:0.3.2
-
cpe:2.3:a:pyload:pyload:0.4
-
cpe:2.3:a:pyload:pyload:0.4.1
-
cpe:2.3:a:pyload:pyload:0.4.2
-
cpe:2.3:a:pyload:pyload:0.4.20
-
cpe:2.3:a:pyload:pyload:0.4.3
-
cpe:2.3:a:pyload:pyload:0.4.4
-
cpe:2.3:a:pyload:pyload:0.4.5
-
cpe:2.3:a:pyload:pyload:0.4.6
-
cpe:2.3:a:pyload:pyload:0.4.7
-
cpe:2.3:a:pyload:pyload:0.4.8
-
cpe:2.3:a:pyload:pyload:0.4.9
-
cpe:2.3:a:pyload:pyload:0.5.0
-
cpe:2.3:a:pyload:pyload:2023-01-05
-
cpe:2.3:a:pyload:pyload:2023-01-24
-
cpe:2.3:a:pyload:pyload:2023-01-25