CVE-2026-42313: pyLoad Proxy Bypass Exposes Outbound Traffic
The National Vulnerability Database has disclosed CVE-2026-42313, a high-severity vulnerability in pyLoad, an open-source download manager. Rated 8.3 CVSS, this flaw allows any authenticated user with non-admin SETTINGS permission to enable and configure proxying, routing all outbound pyLoad traffic through an attacker-controlled host. This includes downloads, captcha fetches, update checks, and plugin HTTP calls, effectively creating an arbitrary proxy.
This vulnerability stems from an incomplete fix for a series of prior issues (CVE-2026-33509, CVE-2026-35463, CVE-2026-35464, CVE-2026-35586). The set_config_value() API method’s ADMIN_ONLY_CORE_OPTIONS allowlist, intended to gate sensitive proxy settings, failed to include critical options like proxy.enabled, proxy.host, proxy.port, and proxy.type. This oversight allows a low-privileged attacker to bypass intended security controls and redirect all network communications.
For defenders, this is a critical supply chain risk. An attacker exploiting this could intercept sensitive data, inject malicious content into downloads, or use the pyLoad instance as an unwitting pivot for further attacks. It’s a clear demonstration of how incomplete allowlists in security-sensitive configurations can lead to persistent bypasses. The vulnerability is fixed in pyLoad version 0.5.0b3.dev100.
What This Means For You
- If your organization uses pyLoad, this vulnerability means any authenticated user with SETTINGS permission can redirect all its outbound traffic, potentially exposing sensitive data or enabling further attacks. Immediately patch to version 0.5.0b3.dev100 or later to mitigate CVE-2026-42313.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42313: pyLoad Proxy Configuration Change
title: CVE-2026-42313: pyLoad Proxy Configuration Change
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
Detects the specific API call used by CVE-2026-42313 to enable and configure an external proxy. This allows an attacker to redirect all pyLoad outbound traffic through a host they control, bypassing security controls and potentially exfiltrating data or fetching malicious content.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42313/
tags:
- attack.command_and_control
- attack.t1572
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/set_config_value'
cs-uri-query|contains:
- 'proxy.enabled=true'
- 'proxy.host='
- 'proxy.port='
- 'proxy.type='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42313 | Auth Bypass | pyLoad versions prior to 0.5.0b3.dev100 |
| CVE-2026-42313 | Misconfiguration | pyLoad src/pyload/core/api/__init__.py set_config_value() API method |
| CVE-2026-42313 | Information Disclosure | Authenticated users with SETTINGS permission can enable and configure proxy settings ('proxy', 'enabled'), ('proxy', 'host'), ('proxy', 'port'), ('proxy', 'type') to route outbound traffic through an attacker-controlled host. |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability
CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....
CVE-2026-8320 — Jishenghua JshERP Server-Side Request Forgery
CVE-2026-8320 — A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the...
CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to
CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py...