Medium severity6.5NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
CVE-2026-33992
CVE-2026-33992
Description
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyload-ngPyPI | <= 0.5.0b3.dev96 | — |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8nvdPatchWEB
- github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432xnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-m74m-f7cr-432xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33992ghsaADVISORY
News mentions
0No linked articles in our index yet.