CVE-2026-33992Server-Side Request Forgery in Pyload

CWE-918Server-Side Request Forgery10 documents5 sources
Severity
9.3CRITICALNVD
EPSS
0.1%
top 80.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PyloadPyload-ng Project Pyload-ng
Timeline
PublishedMar 27
Latest updateApr 6

Description

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys con

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Affected Packages3 packages

CVEListV5pyload/pyload< 0.5.0b3.dev97+1
PyPIpyload-ng_project/pyload-ng0.5.0b3.dev96
NVDpyload/pyload0.5.0

Patches

Patch: github.com

🔴Vulnerability Details

6
CVEList
pyLoad has SSRF fix bypass via HTTP redirect2026-04-06
OSV
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)2026-04-04
GHSA
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)2026-04-04
CVEList
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration2026-03-27
OSV
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration2026-03-27

🕵️Threat Intelligence

2
Wiz
CVE-2026-35459 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-33992 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-33992 — Server-Side Request Forgery in Pyload | cvebase