CVE-2026-46561 - Vulnerability Details

- pyLoad: SSRF via HTTP Redirect Bypass in parse_urls API

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An authenticated attacker can supply a URL pointing to an attacker-controlled server that responds with a 302 redirect to an internal/private IP address, bypassing the is_global_host() check on the initial URL. This vulnerability is fixed in 0.5.0b3.dev100.

Published: 2026-05-28

Score: 5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A Server‑Side Request Forgery flaw was found in pyLoad’s parse_urls API, allowing an authenticated attacker to supply a URL that redirects to a private or internal IP address. The redirect bypasses the intended global‑host check, letting the attacker trigger requests to internal resources that should otherwise be blocked. The core weakness is a missing private‑IP guard on HTTP redirects, which can be abused for internal network enumeration or to reach services behind a firewall.

Affected Systems

The vulnerability affects the pyLoad download manager developed by pyload:pyload. Any installation running a version older than 0.5.0b3.dev100 is susceptible, as the private‑IP check was not applied to HTTPRequest used by parse_urls.; earlier releases such as 0.4.x or 0.5.0b2 are included in this risk group.

Risk and Exploitability

The CVSS score is 5, indicating moderate risk. No EPSS score is available, so the likelihood of exploitation cannot be quantified precisely, but the flaw is listed as not part of CISA’s KEV catalog. Because the API requires authentication, an attacker must first obtain valid credentials; however, once authenticated, the attacker can perform remote internal requests and gain unauthorised access to internal services or data. The attack vector is inferred to be internal network access after redirect, posing potential confidentiality and availability risks to the victim’s internal infrastructure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pyload

affected

Version	Status	Constraints
`< 0.5.0b3.dev100`	affected	—

No data.

Vendor Product Confidence Versions

Pyload

100%

Version	Status	Scheme	Platform
`[0,0.5.0b3.dev100)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pyLoad to version 0.5.0b3.dev100 or later to re‑enable the private‑IP check on redirects.
If an upgrade cannot be performed immediately, temporarily disable the parse_urls API for unauthenticated or untrusted users or insert a custom filter that rejects redirects to private IP ranges.
After applying the latest release or the temporary filter, conduct a test using a redirect that points to an internal IP to confirm that the exploit no longer succeeds.

Generated by OpenCVE AI on May 28, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8rp3-xc6w-5qp5	pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/pyload/pyload/security/advisories/GHSA-8rp3-xc6w-5qp5

History

Thu, 28 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pyload Pyload pyload
Vendors & Products		Pyload Pyload pyload

Thu, 28 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An authenticated attacker can supply a URL pointing to an attacker-controlled server that responds with a 302 redirect to an internal/private IP address, bypassing the is_global_host() check on the initial URL. This vulnerability is fixed in 0.5.0b3.dev100.
Title		pyLoad: SSRF via HTTP Redirect Bypass in parse_urls API
Weaknesses		CWE-918
References		https://github.com/pyload/pyload/security/advisories/GHSA-8rp3-xc6w-5qp5
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}`

Subscriptions

Pyload Pyload

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-28T17:11:28.966Z

Updated: 2026-05-28T18:53:52.113Z

Reserved: 2026-05-14T20:42:31.370Z

Link: CVE-2026-46561

Vulnrichment

Updated: 2026-05-28T18:53:17.364Z

NVD

Status : Received

Published: 2026-05-28T18:16:36.123

Modified: 2026-05-28T20:16:25.130

Link: CVE-2026-46561

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T19:45:25Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object