530 matches found
CVE-2026-35586
creationtimestamp| type| source ---|---|--- 2026-04-04 09:16:32+00:00| published-proof-of-concept| https://github.com/pyload/pyload/security/advisories/GHSA-ppvx-rwh9-7rj7...
Incorrect Authorization
Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Incorrect Authorization via the storagefolder configuration option, which allows a user with SETTINGS and ADD permissions to redirect downloads to the Flask...
Server-side Request Forgery (SSRF)
Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the download function. An authenticated attacker with ADD permission can access internal network resources and sensitive...
GHSA-7GVF-3W72-P2PG pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
Summary The fix for CVE-2026-33992 GHSA-m74m-f7cr-432x added IP validation to BaseDownloader.download that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are...
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
Summary The fix for CVE-2026-33992 GHSA-m74m-f7cr-432x added IP validation to BaseDownloader.download that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are...
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter
Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The parseurls API function in src/pyload/core/api/init.py line 556 fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission...
CVE-2026-33992
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network service...
Server-Side Request Forgery
pyLoad is vulnerable to Server-Side Request Forgery. The vulnerability is due to the download engine accepting arbitrary URLs without validation, where an authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata...
Server-side Request Forgery (SSRF)
Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the /api/addPackage endpoint. An attacker can access internal network services and exfiltrate sensitive cloud metadata b...
CVE-2026-33992
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network service...
CVE-2026-33992
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network service...
CVE-2026-33992 pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network service...
CVE-2026-33992 pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network service...
CVE-2026-33992
Summary of findings (CVE-2026-33992): The pyLoad project (and pyload-ng as referenced by multiple advisories) contains a server-side request forgery vulnerability in its download/addPackage path. The root cause is that the download engine accepts arbitrary URLs without proper validation, enabling...
EUVD-2026-16886
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration...
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
Summary PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive...
GHSA-M74M-F7CR-432X pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
Summary PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive...
PT-2026-28586
Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev97 Description pyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network...
pyLoad 代码问题漏洞
pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev97 contained code vulnerabilities. These vulnerabilities stemmed from the download engine accepting unverified arbitrary URLs, which could lead to server-side request forgeing attacks...
CVE-2026-32808
pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives encrypted files with non-encrypted headers, causing arbitrary file deletion outside of the extraction...