High severity7.7NVD Advisory· Published Apr 6, 2026· Updated Apr 20, 2026

CVE-2026-35187

Description

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files via file:// protocol (pycurl reads the file server-side), interact with internal services via gopher:// and dict:// protocols, and enumerate file existence via error-based oracle (error 37 vs empty response).

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pyload-ngPyPI	<= 0.5.0b3.dev96	—

Affected products

Pyload Ng Project/Pyload Ng
cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*
Range: <0.5.0b3.dev97

Patches

4032e57d61d8

fix GHSA-2wvg-62qm-gj33 security advisory

https://github.com/pyload/pyloadGammaC0deApr 1, 2026via ghsa

commit

2 files changed · +24 −3

src/pyload/core/api/__init__.py+8 −3 modified

@@ -13,11 +13,13 @@
 import time
 from enum import IntFlag
 from typing import Any, Callable, Optional
+from urllib.parse import urlparse
 
 import flask
 from werkzeug.utils import secure_filename
 
 from pyload import PKGDIR
+from pyload.core.utils.web.check import is_global_host
 
 from ..datatypes.data import (
     AccountInfo, CaptchaTask, ConfigItem, ConfigSection, DownloadInfo, EventInfo, FileData, OldUserData, OnlineCheck,
@@ -43,7 +45,7 @@
 
 
 RE_URLMATCH = re.compile(
-    r"(?:https?|ftps?|xdcc|sftp):(?://|\\\\)+[\w\-._~:/?#\[\]@!$&'()*+,;=]*|magnet:\?.+",
+    r"(?:https?|ftps?|xdccs?|sftp):(?://|\\\\)+[\w\-._~:/?#\[\]@!$&'()*+,;=]*|magnet:\?.+",
     re.IGNORECASE,
 )
 
@@ -585,8 +587,11 @@ def parse_urls(self, html: Optional[str] = None, url: Optional[str] = None) -> d
             urls.update(RE_URLMATCH.findall(html))
 
         if url:
-            page = get_url(url)
-            urls.update(RE_URLMATCH.findall(page))
+            urlp = urlparse(url)
+            hostname = urlp.hostname
+            if urlp.scheme in ("http", "https") and hostname and is_global_host(hostname):
+                page = get_url(url)
+                urls.update(RE_URLMATCH.findall(page))
 
         return self.check_urls(list(urls))

src/pyload/core/utils/web/check.py+16 −0 modified

@@ -4,6 +4,7 @@
 import time
 
 from ...network.request_factory import get_url
+from ..convert import host_to_ip
 
 
 def is_ipv4_address(value):
@@ -100,6 +101,21 @@ def is_global_address(value):
         return False
 
 
+def is_global_host(value):
+    """
+    Check whether the provided host address resolves to a globally routable IP address.
+
+    Parameters:
+    - value (str): The input host to check.
+
+    Returns:
+    - bool: True if the value is a global (publicly routable) host,
+      False for non-global addresses or if the input is invalid.
+    """
+    ips = host_to_ip(value)
+    return ips and all((is_global_address(ip) for ip in ips))
+
+
 def is_port(value):
     """
     Validate whether an integer is a valid TCP/UDP port number.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/pyload/pyload/commit/4032e57d61d8f864e39f4dcfdb567527a50a9e1fnvdPatchWEB
github.com/pyload/pyload/security/advisories/GHSA-2wvg-62qm-gj33nvdExploitMitigationVendor AdvisoryWEB
github.com/advisories/GHSA-2wvg-62qm-gj33ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35187ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.501
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000