CVE-2026-33992
Description
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyload-ngPyPI | <= 0.5.0b3.dev96 | — |
Affected products
1Patches
1b76b6d4ee5e3fix GHSA-m74m-f7cr-432x security advisory
2 files changed · +12 −0
src/pyload/plugins/base/downloader.py+11 −0 modified@@ -1,10 +1,13 @@ import mimetypes import os import re +import urllib from pyload.core.network.exceptions import Fail from pyload.core.network.http.exceptions import BadHeader from pyload.core.utils import format, fs, parse +from pyload.core.utils.web.check import is_global_address, is_ip_address +from pyload.core.utils.web.convert import host_to_ip from ..helpers import exists from .hoster import BaseHoster @@ -329,6 +332,14 @@ def download( ) self.check_status() + dl_hostname = urllib.parse.urlparse(dl_url).hostname + if is_ip_address(dl_hostname) and not is_global_address(dl_hostname): + self.fail(self._("Refusing to download from Server-Side host {}".format(dl_hostname))) + else: + for ip in host_to_ip(dl_hostname): + if not is_global_address(ip): + self.fail(self._("Refusing to download from Server-Side host {} ({})".format(dl_hostname, ip))) + newname = self._download( dl_url, dl_filename, get, post, referrer, cookies, disposition, resume, chunks )
src/pyload/webui/app/__init__.py+1 −0 modified@@ -69,6 +69,7 @@ def deny_iframe(response): return response # Dynamically set SESSION_COOKIE_SECURE according to the value of X-Forwarded-Proto + # TODO: Add trusted proxy check @app.before_request def set_session_cookie_secure(): x_forwarded_proto = flask.request.headers.get("X-Forwarded-Proto", "")
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8nvdPatchWEB
- github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432xnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-m74m-f7cr-432xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33992ghsaADVISORY
News mentions
0No linked articles in our index yet.