4 matches found
PYSEC-2026-495 pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
Summary The fix for CVE-2026-33992 GHSA-m74m-f7cr-432x added IP validation to BaseDownloader.download that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are...
CVE-2026-35463
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMINONLYOPTIONS protection mechanism restricts security-critical configuration values reconnect scripts, SSL certs, proxy credentials to admin-only access. However, this protection is only...
GHSA-7GVF-3W72-P2PG pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
Summary The fix for CVE-2026-33992 GHSA-m74m-f7cr-432x added IP validation to BaseDownloader.download that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are...
The vulnerability of the software for downloading pyload files is related to insufficient validation of input data, allowing a perpetrator to execute arbitrary code.
The vulnerability of the software for downloading pyload files is related to insufficient validation of input data. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by sending a specially crafted HTTP request remotely...