Description

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter. An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.

INFO

Published Date :

2026-04-06T19:37:00.598Z

Last Modified :

2026-04-06T19:37:00.598Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35459 vulnerability.

Vendors Products
Pyload
  • Pyload
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35459.

URL Resource
https://github.com/pyload/pyload/commit/33c55da084320430edfd941b60e3da0eb1be9443 cve-icon cve-icon
https://github.com/pyload/pyload/security/advisories/GHSA-7gvf-3w72-p2pg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability