CVE-2026-35459 — Server-Side Request Forgery in Pyload

CWE-918 — Server-Side Request Forgery5 documents5 sources

Severity

9.3CRITICALNVD

EPSS

0.0%

top 90.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyload Pyload-ng Project Pyload-ng

Timeline

PublishedApr 6

Description

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter. An authenticated user wit…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Affected Packages2 packages

▶CVEListV5pyload/pyload0.5.0b3.dev96

▶PyPIpyload-ng_project/pyload-ng0.5.0b3.dev96

🔴Vulnerability Details

CVEList

pyLoad has SSRF fix bypass via HTTP redirect↗2026-04-06

▶

OSV

pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)↗2026-04-04

▶

GHSA

pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)↗2026-04-04

▶

🕵️Threat Intelligence

Wiz

CVE-2026-35459 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶