cbcvebase.
CVE-2026-33314
published 2026-03-24

CVE-2026-33314: pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check…

PriorityP339medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
EPSS
0.18%
8.1th percentile
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97.

Affected

3 ranges
VendorProductVersion rangeFixed in
pyload-ng_projectpyload-ng< 0.5.0b3.dev970.5.0b3.dev97
pyload-ng_projectpyload-ng>= 0 < 0.5.0b3.dev970.5.0b3.dev97
pyloadpyload< 0.5.0b3.dev970.5.0b3.dev97
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.