Description
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter. An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.
Published: 2026-04-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF) that can force the pyLoad server to retrieve internal network resources
Action: Immediate Patch
AI Analysis

Impact

pyLoad includes a SSRF flaw that allows a logged‑in user with ADD permissions to submit a download URL that redirects to an internal host. The download routine performs hostname validation on the initial URL only; however, pycurl is configured to follow HTTP redirects automatically, and the redirects are not re‑validated. An attacker can exploit this to trigger the server to access private IP addresses, exfiltrate data, or use the server as a pivot point into the internal network.

Affected Systems

The vulnerability exists in pyLoad 0.5.0b3.dev96 and all earlier releases. End‑users of these versions should be aware that the SSRF exploit is present unless a newer release that includes the fix is installed.

Risk and Exploitability

With a CVSS score of 9.3, this flaw represents a high‑severity risk. The exploit requires authenticated access with ADD privilege, but the easy availability of such accounts in typical installations increases the likelihood of exploitation. Although EPSS data is not available and the issue is not yet listed in the CISA KEV catalog, the potential for internal impact warrants immediate attention.

Generated by OpenCVE AI on April 7, 2026 at 02:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pyLoad to the latest release that contains the fix for this SSRF bypass (the commit 33c55da restores proper redirect validation).
  • If an upgrade is not immediately possible, remove or tightly restrict the ADD permission from users who do not need it, as the vulnerability requires that capability to trigger a redirect.
  • Consider disabling or limiting pycurl’s FOLLOWLOCATION setting in configuration so that redirects are not automatically followed, thereby forcing the SSRF checker to validate every request target.
  • Monitor outbound connections from the pyLoad server for unexpected traffic to internal IP ranges and investigate any anomalies promptly.

Generated by OpenCVE AI on April 7, 2026 at 02:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7gvf-3w72-p2pg pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Pyload
Pyload pyload
Vendors & Products Pyload
Pyload pyload

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter. An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.
Title pyLoad has SSRF fix bypass via HTTP redirect
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Pyload Pyload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T19:29:49.223Z

Reserved: 2026-04-02T19:25:52.193Z

Link: CVE-2026-35459

cve-icon Vulnrichment

Updated: 2026-04-07T19:29:44.661Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T20:16:28.220

Modified: 2026-04-07T20:16:28.193

Link: CVE-2026-35459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:25Z

Weaknesses