CVE-2026-46561 pyLoad: SSRF via HTTP Redirect Bypass in parse_urls API

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest used by the parseurls API. An authenticated attacker can supply a URL pointing to an attacker-controlled server that responds with...

GHSA-8RP3-XC6W-5QP5 pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API

Summary The SSRF mitigation added in commit 33c55da for GHSA-7gvf-3w72-p2pg is incomplete. The PREREQFUNCTION-based private IP check was correctly applied to HTTPChunk download path but not to HTTPRequest used by the parseurls API. An authenticated attacker can supply a URL pointing to an...

PT-2026-42607

Summary The SSRF mitigation added in commit 33c55da for GHSA-7gvf-3w72-p2pg is incomplete. The PREREQFUNCTION-based private IP check was correctly applied to HTTPChunk download path but not to HTTPRequest used by the parse urls API. An authenticated attacker can supply a URL pointing to an...

pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter

Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The parseurls API function in src/pyload/core/api/init.py line 556 fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission...

PT-2026-30319

Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The parse urls API function in src/pyload/core/api/ init .py line 556 fetches arbitrary URLs server-side via get urlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permissi...