Description
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.
Published: 2026-03-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery that exposes internal network data and cloud metadata
Action: Apply Patch
AI Analysis

Impact

pyLoad’s download engine accepted arbitrary URLs without validation before version 0.5.0b3.dev97, allowing a Server‑Side Request Forgery vulnerability. An attacker who could authenticate to the application could make the server request any internal or external resource, enabling access to sensitive internal network services and leakage of cloud metadata such as droplet identifiers, network settings, region, and SSH keys. This constitutes a severe breach of confidentiality and potential compromise of the infrastructure.

Affected Systems

pyLoad download manager as distributed in releases prior to 0.5.0b3.dev97, including version 0.5.0. The vulnerability applies to all installations that use the default download engine without URL validation. The affected product is the pyLoad pyload bundle as identified by the CPE cpe:2.3:a:pyload:pyload:0.5.0.

Risk and Exploitability

With a CVSS base score of 9.3 the score reflects high impact and exploitation ease. The EPSS score is below 1 % indicating a low probability of widespread exploitation, and the vulnerability is not yet in CISA’s KEV list. The attack vector requires an authenticated user’s session, which is inferred from the description. Once authenticated, the attacker can trigger SSRF via the download link submission interface, causing the server to perform outbound requests and retrieve cloud metadata.

Generated by OpenCVE AI on March 31, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update pyLoad to version 0.5.0b3.dev97 or later
  • Ensure that the download engine validates URLs and accepts only trusted domains
  • If possible, restrict the pyLoad server’s outbound network access to prevent unauthorized internal traffic

Generated by OpenCVE AI on March 31, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m74m-f7cr-432x pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
History

Tue, 31 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pyload:pyload:0.5.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.
Title pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Pyload Pyload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T18:29:06.744Z

Reserved: 2026-03-24T22:20:06.211Z

Link: CVE-2026-33992

cve-icon Vulnrichment

Updated: 2026-03-30T18:28:40.803Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T23:17:14.070

Modified: 2026-03-31T14:49:16.640

Link: CVE-2026-33992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:35Z

Weaknesses