CVE-2026-35187Server-Side Request Forgery in Pyload

CWE-918Server-Side Request Forgery5 documents5 sources
Severity
7.7HIGHNVD
EPSS
0.0%
top 91.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PyloadPyload-ng Project Pyload-ng
Timeline
PublishedApr 6

Description

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files via file:// protocol (pycurl reads the file server-side), inte

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages2 packages

CVEListV5pyload/pyload0.5.0b3.dev96
PyPIpyload-ng_project/pyload-ng0.5.0b3.dev96

🔴Vulnerability Details

3
CVEList
pyLoad has SSRF in parse_urls API endpoint via unvalidated URL parameter2026-04-06
OSV
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter2026-04-04
GHSA
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter2026-04-04

🕵️Threat Intelligence

1
Wiz
CVE-2026-35187 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-35187 — Server-Side Request Forgery in Pyload | cvebase