Description

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files via file:// protocol (pycurl reads the file server-side), interact with internal services via gopher:// and dict:// protocols, and enumerate file existence via error-based oracle (error 37 vs empty response).

INFO

Published Date :

2026-04-06T19:33:06.557Z

Last Modified :

2026-04-06T19:33:06.557Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35187 vulnerability.

Vendors Products
Pyload
  • Pyload
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35187.

URL Resource
https://github.com/pyload/pyload/commit/4032e57d61d8f864e39f4dcfdb567527a50a9e1f cve-icon cve-icon
https://github.com/pyload/pyload/security/advisories/GHSA-2wvg-62qm-gj33 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact