4.8
CVE-2026-40594
- EPSS 0.17%
- Veröffentlicht 21.04.2026 17:14:03
- Zuletzt bearbeitet 27.04.2026 19:43:46
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSION_COOKIE_SECURE on every request. Because pyLoad uses the multi-threaded Cheroot WSGI server (request_queue_size=512), this creates a race condition where an attacker's request can influence the Secure flag on other users' session cookies — either downgrading cookie security behind a TLS proxy or causing a session denial-of-service on plain HTTP deployments. This vulnerability is fixed in 0.5.0b3.dev98.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pyload-ng Project ≫ Pyload-ng SwPlatformpython Version < 0.5.0b3.dev69
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.17% | 0.066 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 4.8 | 2.2 | 2.5 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
|
CWE-346 Origin Validation Error
The product does not properly verify that the source of data or communication is valid.
https://github.com/pyload/pyload/security/advisories/GHSA-mp82-fmj6-f22v