{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pickle/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33509"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["pyLoad","rce","pickle","deserialization","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003epyLoad, a download manager, is susceptible to arbitrary code execution due to an insecure configuration option related to the storage folder. This vulnerability arises from the incomplete fix for CVE-2026-33509. Specifically, the \u003ccode\u003estorage_folder\u003c/code\u003e option is not included in the \u003ccode\u003eADMIN_ONLY_OPTIONS\u003c/code\u003e set, which allows users with \u003ccode\u003eSETTINGS\u003c/code\u003e and \u003ccode\u003eADD\u003c/code\u003e permissions to modify it. By redirecting downloads to the Flask filesystem session store, an attacker can plant a malicious pickle payload as a predictable session file. Subsequently, any HTTP request containing the corresponding crafted session cookie will trigger the deserialization of the payload, resulting in arbitrary code execution. This issue affects pyLoad versions up to and including 0.5.0b3. The observed exploitation involves manipulating the download directory to write malicious files into the Flask session store, ultimately leading to code execution on the host.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains a non-admin user account with both \u003ccode\u003eSETTINGS\u003c/code\u003e and \u003ccode\u003eADD\u003c/code\u003e permissions in pyLoad.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e/api/set_config_value\u003c/code\u003e endpoint to modify the \u003ccode\u003estorage_folder\u003c/code\u003e option, setting its value to the Flask session store directory: \u003ccode\u003e/tmp/pyLoad/flask\u003c/code\u003e. This bypasses existing path restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker calculates the target session filename by computing the MD5 hash of the string \u0026ldquo;session:ATTACKER_SESSION_ID\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts a malicious pickle payload (e.g., \u003ccode\u003e92912f771df217fb6fbfded6705dd47c\u003c/code\u003e) on a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e/api/add_package\u003c/code\u003e endpoint to add a download package. The download link points to the hosted malicious pickle payload on the attacker\u0026rsquo;s server: \u003ccode\u003ehttp://attacker.com/92912f771df217fb6fbfded6705dd47c\u003c/code\u003e. The \u003ccode\u003edest\u003c/code\u003e parameter specifies where to store the downloaded file.\u003c/li\u003e\n\u003cli\u003epyLoad downloads the malicious pickle payload and saves it to the Flask session store directory, naming it according to the MD5 hash calculated earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request to the pyLoad server, including a cookie named \u003ccode\u003epyload_session_{port}\u003c/code\u003e with the value \u003ccode\u003eATTACKER_SESSION_ID\u003c/code\u003e.  The port number is derived from the pyLoad configuration.\u003c/li\u003e\n\u003cli\u003eUpon receiving the request with the crafted cookie, Flask attempts to load the session data from the corresponding file. The \u003ccode\u003ecachelib\u003c/code\u003e library deserializes the malicious pickle payload using \u003ccode\u003epickle.load()\u003c/code\u003e, triggering arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a non-admin user with SETTINGS and ADD permissions to achieve arbitrary code execution as the pyload service user. This grants the attacker the ability to execute arbitrary commands, read environment variables (potentially exposing API keys and credentials), access the filesystem (including download history and user databases), and potentially pivot to other network resources. The vulnerability requires no authentication to trigger the final stage of exploitation, increasing its severity and potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to modify the \u003ccode\u003estorage_folder\u003c/code\u003e configuration option to point to the Flask session directory (\u003ccode\u003e/tmp/pyLoad/flask\u003c/code\u003e): \u003ccode\u003eSuspicious pyLoad Storage Folder Modification\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply the suggested fix by adding \u003ccode\u003estorage_folder\u003c/code\u003e to the \u003ccode\u003eADMIN_ONLY_OPTIONS\u003c/code\u003e set in the pyLoad configuration to prevent non-admin users from modifying it.\u003c/li\u003e\n\u003cli\u003eBlock the malicious URLs used to deliver the pickle payload, specifically \u003ccode\u003ehttp://attacker.com/92912f771df217fb6fbfded6705dd47c\u003c/code\u003e, at your network perimeter.\u003c/li\u003e\n\u003cli\u003eMonitor for HTTP requests containing the crafted session cookie (\u003ccode\u003epyload_session_{port}=ATTACKER_SESSION_ID\u003c/code\u003e), using a webserver or proxy log source, as it triggers the final stage of the attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T06:43:37Z","date_published":"2026-04-04T06:43:37Z","id":"/briefs/2026-04-pyload-rce/","summary":"pyLoad is vulnerable to arbitrary code execution via an unprotected `storage_folder` configuration option, allowing an attacker with `SETTINGS` and `ADD` permissions to write a malicious pickle payload to the Flask session store and execute arbitrary code upon subsequent HTTP requests.","title":"pyLoad Arbitrary Code Execution via Malicious Session Deserialization","url":"https://feed.craftedsignal.io/briefs/2026-04-pyload-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Pickle","version":"https://jsonfeed.org/version/1.1"}